I want to deny access to particular directory to show list of files in it in the browser. For example, If I go to the url, localhost/myproject/assets, it will show all the list of files in it, I want to deny that. And also if logged in user access specific file in it, for ex : localhost/myproject/assets/uploads/img/1.jpg then it should be accessible.
Also how to deny access to a localhost/myproject/assets/uploads/img/1.jpg if that 1.jpg is uploaded by some other user.
I'm new to laravel ,Any help is much appreciated. thanks
You could add the following to the .htaccess file in the folder. This might help.
Options -Indexes
You cannot deny the access to the jpg uploaded by another user.
If you are using Apache, you can place a .htaccess file in the folder you want to block. Then you can use deny from all to block all requests to that folder.
This works because a .htaccess file can be in every directory in your web root, and only cares about the directory it is in and its subdirectories.
See this answer.
Related
I am extremely new to the concept of .htaccess, and I wanted to know how I could use it to allow a file to be used on a script on a .html file in the same directory as the .htaccess and the file. However, if you try to navigate to the file instead of viewing the script on the .html file, I would like it to be blocked. Thanks!
Update: Please see below comments!
Update 2: It seems that there is no way to achieve what I wished. That's ok, though. I just used a bunch of obfustication, and that seems to work well.
You are wanting to restrict access to a (script)file using htaccess so that a visitor can't directly link to the script file. Assuming this is working like described the visitor would load the HTML-file, the HTML-file would render and request the scriptfile....which will be blocked. So this isn't the way to go I reckon.
I would suggest changing the HTML-file to PHP when possible and include the script with a php include/require. This way the server-side code will determine what content is served.
Once you're including the file server-side you can prevent direct access to the file using htaccess by placing the code below inside your htaccess:
#Prevent Users From Accessing .inc* files in .htaccess
<Files ~ ".inc">
Order allow,deny
Deny from all
</Files>
In the above example direct access to .inc-files will be denied. Change this file-extension to your needs.
Inside your index.php file you'll need to include the file containing your script with something like:
include 'filewithscript.inc';
This should solve your problem.
I want to deny access to a folder from web using .htaccess, but I want give access to this folder inside the system.
I used deny from all in .htaccess file, it prevent the full access to the folder but I can't access the folder inside the system.
Thanks in advance
You could use allow and specify the adress to be allowed
Allow from 127.0.0.1
Users who log in to an admin area of a website need to be able to download files that have been previously uploaded by other admins. Public access to these files is not allowed.
The files are held in a directory called uploaded-files and there is a .htaccess in that folder:
<FilesMatch "\.(pdf|doc|docx|ods|xls|xlsx|ppt)$">
Order deny,allow
Deny from all
Allow from localhost
</FilesMatch>
That seems to work ok.. The public can't link to the files. The trouble is that the logged in admins can't link to them either because:
<a href"uploaded-files/abc.pdf">download</a>
gives a 403 forbidden when clicked. So it seems php/html files on the server can't access the files either.
What am I doing wrong? Surely there is an easy way to allow people on the server to download files via a link but still deny access to public?
I've tried keeping the files outside the public_html but I can't provide a link to that location either :(
You should keep these files outside your DOCUMENT_ROOT.
Download links should be via a PHP file e.g. <a href"http://domain.com/download-files.php?file=abc.pdf">download abc.pdf</a>
php code can check for auth part and allowed host etc. If all validations pass then return content of PDF with proper CONTENT type to the browser.
is there a way to deny outside access to my upload directory ?! I don't want users to access my upload directory : www.example.com/uploads
i used .htaccess in the root of my upload folder however all the links were broken
in my .htaccess :
deny from all
any solution ?
If you wish to disable directory listing, simply place 'Options -Indexes' in your htaccess.
You've applied a 'deny from all', which essentially stops ANYONE from accessing files in the directory to which it applies.
Also make sure that 'AllowOverride All' is specified in the vhost definition, otherwise you are unable to override settings via the htaccess file. That is my understanding anyway.
If you wish to disable access to the upload directory, and control which files in specific users can access, I'd recommend going through a script written in a language such as PHP. A user requests a file from the script, the script looks to see if they're allowed to view the file. IF they are, they file is displayed. IF they aren't then it is not.
References
http://www.thesitewizard.com/apache/prevent-directory-listing-htaccess.shtml
http://mathiasbynens.be/notes/apache-allowoverride-all
I have a module which enable user to upload photos to a certain path like
domain/media/img/uploadedFiles/
I would like to user can upload photo to this location but he cannot reach the uploaded photo by writing
domain.com/media/img/uploadedFiles/filename
I have achieved not to list the files in that path by using .htaccess file but If user knows the name of the uploaded file he can still reach that file.
Thanks
Assuming you're using Apache, you can block access to files in .htaccess too. For example:
<Files private.html>
Order allow,deny
Deny from all
</Files>
To prevent users from accessing any files in the directory, try putting an .htaccess file containing this inside the directory, which sets the default state to deny:
Order Allow,Deny
For more examples of specifying what resources you want to protect, see http://httpd.apache.org/docs/2.2/sections.html
See http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html for more information on access control with Apache.