Webserver structure folder structure question.

[Cruorzy]

So ive got a project which makes me think once again if i can do something about this.

Its an website for sharing some photo's and videos, you upload your media it gets named to a random MD5 hash and stored in a folder and a record gets created in the database.

 

Then the permissions of the video/image gets set to public or private (whatever the user wants), once it is private only you and the other users you give access to it can see it.

Its a really basic idea.

 

Now the other user that gets access to the photo or video can copy the link and try to share it, if he tries to share it with someone who isn't logged in or doesn't have the right permissions he gets denied.

But if he takes 2 seconds to scroll through the page source he can find the actual link to the image and send it to who ever he wants, and they are able to see this.

 

How can i prevent something like this?

 

 

Also a quick question someone could explain maybe, sometimes you see public/private folders in the html folder. does the private folder contain like management files (sort of back-end to manage ur pages) and the public file contain just the normal website you make available to the visitors?

 

Thanks in advance!

[Tycho]

You should serve the user the [link to the image/image itself] after verifying that the user has permission to view it. Verifying should be done server side so the end user should never see more than the static page that he is meant to see. I once made the exact same thing you're trying to make now for a school project, let me see if I can find the code somewhere, I'll pm you when I do.

[Mr_KoKa]

You could create yourself a folder that is outside public html directory, where there is no access via link to it, and then use X-Sendfile mod for apache to server file by setting up specified response header, So your php would check if user has access and then it would prepare response headers to send such file.