Hi,
I have a directory with files in it, the files are named based on an ID in a database table which the directory is synchronized with using PHP.
The trouble with this method is anyone can simply type …
1.zip
24.zip
They can download any file they want, does anyone have any techniques for making a secure file download system?
Haensel
(Johannes)
2
Just a quick thought but you know who is logged in via Yii::app()->user->id. So you could add a method to your CWebUser class like
public function isOwnerOfFile($filename)
{
return $this->id==(int)$filename;
}
and in your controller
public function actionDownload($filename)
{
if(!$this->isOwnerOfFile($filename))
throw new CHttpException(403,'Not allowed');
}