douxi3977 2015-06-16 13:48
浏览 56
已采纳

Symfony2防火墙:保护/ web文件夹

I am developping a SF2 web-app which is fully behind a firewall: nobody shouldn't be able to see or modify anything before behing logged (except login form, of course).

So here is the firewall part of my security.yml file:

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false
    main_login:
        pattern:   ^/login$
        anonymous: true
    main:
        pattern:        ^/
        anonymous:      false
        form_login:
            login_path: fos_user_security_login
            check_path: fos_user_security_check
        logout:
            path:       fos_user_security_logout
            target:     /

This works fine: if I type the url http://mywebsite.com/app.php/article/show/1 while unlogged, I am forwarded to the login page.

My problem is that I have some documents and media files located in Symfony's web directory (e.g. myapp/web/document/myTextFile.txt). They are accessible via my app for logged users, but also for non-logged users!

Anybody who types http://mywebsite.com/app.php/document/myTextFile.txt can download the file...

Why doesn't the pattern: ^/ line prevent this? Is the web folder excluded by default because it contains app.php and js/and css/ folder?

How do I protect my documents?


Update: Display protected images

I tried the solution suggested by Gerry, it works fine to protect the download of my documents.

However, I also have pictures in my document folder and I would like to display these pictures, directly included in the relevant pages.

For example, in http://mywebsite.com/app.php/article/show/1 there will be some text and the picture myapp/app/Resources/document/AAA.jpg, and in http://mywebsite.com/app.php/article/show/2 there will be some text and the picture myapp/app/Resources/document/BBB.jpg, etc.

I tried to do it with Assetic but it seems that it is done for "static" images (like top logo, or images which are not object-dependent).

A solution I see is to convert the image in Base64 and include it like this : <img alt="" src="data:image/png;base64(...)" />, but it seems really ugly...

  • 写回答

2条回答 默认 最新

  • doueta6642 2015-06-16 15:43
    关注

    The web directory is your public root directory, being served by the webserver (Apache/Nginx/...).

    By default any request to an existing file does not pass Symfony at all, so no firewall setting is going to prevent access to files residing in the web root.

    The clean solution is to move these files to another directory, outside the webroot, for example app/Resources/uploads. Then you could write a Symfony controller for downloading these files.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 unity腾讯云对象存储机型适配
  • ¥15 求全国交通咨询模拟代码,要求如下,可以完全在dev c++运行
  • ¥15 根据要求修改程序编码
  • ¥15 用 Python 做一个用 Excel 表导入的答题系统
  • ¥15 使用微信开发者工具实现一个“婚博会”小程序
  • ¥15 ros的rviz仿真机器人
  • ¥15 关于#linux#的问题(输入输出错误):出现这个界面接着我重新装系统,又让修电脑的师傅帮我扫描硬盘(没有问题)用着用着又卡死(相关搜索:固态硬盘)
  • ¥15 cv::resize不同线程时间不同
  • ¥15 web课程,怎么做啊😭没好好听课 根本不知道怎么下手
  • ¥15 做一个关于单片机的比较难的代码,然后搞一个PPT进行解释