How to protect images while allowing display and download?

I need to allow users to upload, download and display on browser the private pictures. I have problem to display a single image on browser and download the generated zip file (of several images) while protecting these image/zip files.

Here are the approaches I tried:

  1. put the images under webroot/images/<userid>/<dates>/… and protect them (don’t allow unauthorized access): I am able to make everything works but don’t know how to protect the images from access by other unauthorized users. At worst, can I configure (in Apache)so that user can only access webroot/images/<userid>/<dates>/, not the parent folders: “webroot/images/<userid>/”?

  2. put images under protected and create a function in control as suggested in (yiiframework.com/forum/index.php/topic/18512-solved-how-to-display-protected-images/). I always get an error "The image cannot be displayed because it contains errors." when it is access from browser directly (e.g., mydomain/controller/method) or in view (use src="mydomain/controller/method"). Here is my function in control:

public function actionPhoto()

{

&#036;path=Yii::getPathOfAlias('application.uploads').DIRECTORY_SEPARATOR; 


     &#036;file= &#036;path.'005.JPG';


     if (file_exists(&#036;file))


    {


        &#036;img=getimagesize(&#036;file);


      


        header('Content-Type: '.&#036;img['mime']);


     //   header('Content-Type: image/jpeg');


     //  header('Content-Length: ' . filesize(&#036;file));


        


        readfile(&#036;file);


        exit;


    }  else echo Yii::getPathOfAlias('application.uploads');

}

  1. To store the images in MySQL database. I have spent lots time to try this option. Even I can make it work for store and display a single image, it will be issue to generate a zip file for multiple images and allow it to be downloaded by users. I may still need to put the zip files in a file folder.

  2. AssetManager: This isn’t a good option (based on my limit understanding) for my use case as the contents under assets will be public accessable and also take time to publish the assets.

Your suggestions and help are greatly appreciated.

Michael

Option 2 seems like the simplest one. I’m not sure what you’re doing wrong, it seems OK, maybe there are some white spaces? Check the headers of the request if everything is correct: http://www.seoconsultants.com/tools/headers

I got a black screen with the error which is difficult to see.

here is the header information. Please let me know if you need more information.

Your helps are greatly appreciated!

Michael

===

#1 Server Response: //webroot/index.php/content/photoHTTP/1.1 200 OK

Date: Wed, 18 Apr 2012 04:26:17 GMT

Server: Apache/2.2.21 (Win32) PHP/5.3.8

X-Powered-By: PHP/5.3.8

Set-Cookie: PHPSESSID=npkunt8sdheidc0mm6jv49fgk4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Type: image/jpeg

============

headers look fine, does this happen with all images?

I found the cause. I need to clean up everything before the header() by:

ob_clean();

Thanks for your help.