Laravel - 使用身份验证限制某些下载
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23195802/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Laravel - Restrict certain downloads using authentication
提问by user2551614
Lets say I want to make an application where users can upload private files to a laravel based website. I dont want to make their files available to public, but I want them to be able to download the files after they have logged in.
假设我想制作一个应用程序,用户可以将私人文件上传到基于 laravel 的网站。我不想将他们的文件公开,但我希望他们能够在登录后下载文件。
So I need to verify that they have logged in, and that they have the correct account ID to download a specific file. How can I create this restriction?
所以我需要验证他们是否已经登录,并且他们有正确的帐户 ID 来下载特定文件。如何创建此限制?
I have been looking around http://laravel.com/docswith no success, and with google search I was only able to obtain some vanilla PHP samples, but it seems messy to integrate into laravel, which way do you recommend me to do this?
我一直在浏览http://laravel.com/docs没有成功,通过谷歌搜索我只能获得一些普通的 PHP 示例,但是集成到 Laravel 中似乎很混乱,你推荐我做什么这个?
I may be overcomplicating the situation in my head, perhaps I could make a table in database with account id and path to file, and use Response::download($pathToFile); And restricting the uploaded files folder with .htaccess no allow?
我可能把情况复杂化了,也许我可以在数据库中创建一个包含帐户 ID 和文件路径的表,然后使用 Response::download($pathToFile); 并使用 .htaccess 限制上传的文件夹不允许?
(Assuming laravels Response::download method bypasses .htaccess) But even if that work it would probably be best to find a way to do this without .htaccess thought?
(假设 laravel 的 Response::download 方法绕过 .htaccess)但即使那样工作,最好找到一种没有 .htaccess 思想的方法来做到这一点?
EditI guess I will just store the files in the database as blob, and load it from there. That way I can easily do authorisation validation.
编辑我想我只会将文件作为 blob 存储在数据库中,然后从那里加载它。这样我就可以轻松地进行授权验证。
回答by vDk3
All you have to do is just store files in a private directory (eg. /app/files) and set correct headers.
您所要做的只是将文件存储在私有目录中(例如/app/files)并设置正确的标题。
$name = 'name.zip';
$file = '/app/files/name.zip';
$header = array(
'Content-Type' => 'application/octet-stream',
'Content-Disposition' => 'attachment',
'Content-length' => filesize($file),
'filename' => $name,
);
// auth code
return Response::download($file, $name, $header);
回答by Humble Hermit
I just came across this and maybe it can help someone too. I used this to "protect" my PDF documents to only logged in users.
我刚刚遇到了这个,也许它也可以帮助某人。我用它来“保护”我的 PDF 文档,只允许登录用户使用。
I put my files outsidethe storage/public folder (so non of it was accessable to the public). The Controller was protected by the 'auth' middleware in the constructor.
我将我的文件放在storage/public 文件夹之外(因此公众无法访问它)。控制器由构造函数中的“auth”中间件保护。
public function grab_file($hash)
{
$file = Publication::where('hash', $hash)->first();
if ($file) {
return Response::download(storage_path('app/publications/' . $file->filename), null, [
'Cache-Control' => 'no-cache, no-store, must-revalidate',
'Pragma' => 'no-cache',
'Expires' => '0',
], null);
} else {
return abort(404);
}
}
and route is;
路线是;
Route::get('/user/file/{hash}', 'UserController@grab_file');
Where Publicationstored the hash reference to the file. This way there was no way for the user to "see" where the actual file was.
凡出版存储的散列参考文件。这样用户就无法“看到”实际文件的位置。
The "no caching" headers made sure the browser didn't cache the PDF. I did that because after logging out, you can still access the file.
“无缓存”标题确保浏览器不会缓存 PDF。我这样做是因为在注销后,您仍然可以访问该文件。
回答by Mohamed Bouallegue
You can restrict the access to download pages using a pattern based filter
您可以使用基于模式的过滤器限制对下载页面的访问
Route::filter('download', function()
{
//here you check if the user is logged in
if(!Auth::check()){
return 'you should be logged in to access the download page';
}
});
Route::when('download/*', 'download');
check the documentationfor more details
查看文档以获取更多详细信息
