this problem is not really uncommon, but i don't really have an idea how can I implement this. I have 500 registered users in my mini-forum and they have files uploaded in my server. As my users already mapped my directory structure in my web server, they were able to access the files uploaded of my registered users even they don't own it. I use a PHP framework called Yii and MySQL to manage my users, but I want to make my users access their own files only and not the files of others. I'm thinking of using htaccess but that approach is kinda obscure.
If you have any ideas or suggestion please kinda post an answer ^^ thanks
Example: user "mami" has a folder named "mamifolder" but user "dadi" must not able to access "mamifolder". user "dadi" can only access "dadifolder"
Solutions that I know but has major cons:
1) is to store all the files in the database(cons: this is a really bad practice since the days of PHP 4, it's not really a good practice I think)
2) is to make the uploaded files protected by htaccess and let the php render the uploaded file(cons: another bad practice which makes a web app very slow to load. for example private images will be loaded using php. what if there are many private images will be loaded at the same time in a same page)
I would say your only option is to move the files out of your public web directory and to use something like this. You just need to store the IDs of the files in the database, not the whole file.
For this you have to use Role Base Access Control fortunately Yii provides very strong RBAC implementation.Role-Based Access Control is your thing. You would have to use business rule with it. There are one or more ways for that but this is the best one
For Example
$this->_authManager->createOperation("updateHotel","update Hotel information");
$bizRule='return Yii::app()->user->id==$params["model"]->user_id;';
$task = $this->_authManager->createTask("updateOwnHotel","update hotel by manager himself",$bizRule);
$task ->addChild("updateHotel");
$role=$this->_authManager->createRole("manager");
$role->addChild("updateOwnHotel");
now what above code do? it creates an operationupdateHotel and then creates business Rule that takes parameter then you create task that should be performed in example it is updateOwnHotel then you have to create roles for ex manager or reader what ever you intend to have then assign the role the child of updateOwnHotel.
when doing operation in application you just need to do Yii::app()->checkAccess('updateOwnHotel',$prams) which will return true or false that he can update or not that hotel you can do similar with your case