I have an ACL controlled application that uses the Media plugin to upload files to /app/webroot/media. When a file is uploaded, the dirname, basename and file name are written to the database.
I'm looking for a way to restrict access to /app/webroot/media, allowing users to only view the files associated with their user id after they have signed in. Currently, users can access other user's files which is not at all ideal. Is there a best practice for this as far as CakePHP is concerned?
Any file under webroot will be publicly accessible if the user knows the url. Store your files in a folder outside webroot and then render them through a controller action using CakeResponse::file(). This way you can controller access to the action as required.