[ColdBox 3.5.0] Protect access to a user folder


I need to protect a folder where the user store their file uploaded. Each user have a dedicate folder like user_234553/myfile.jpg. I want that a user can only see the file he has uploaded and not all the others, for privacy reason.

So, how can I implement this? I should use security interceptor?

The answer will be in how the user is able to use the file, if you are controlling where files are uploaded then I would imagine if User X101 is logged in then the file is stored in his directory. If you are then controlling how they use the files then I would guess that you load the files for that user from that directory only.

Other than that you will then have to then look at permissions on a directory and file level.

So other than the above information, you haven’t really given much of an idea what you are really trying to do. So any advice at this stage is going to be similar to the above info.

I try to explain better.

I have an application where the user can upload file. Each user have a dedicated directory, where his files are stored. I have a private area where each user can login and create his album.

I use a module found on forgebox, solitary, to create this private area. When a user is logged in he can create and delete and modify his album. When a user is in his private area I show him his file making a query to database and outputting his image. So for example user x11 will be shown the image from his directory. For example

But if a user x15 is authenticated, he could try to access to the url securityArea/user_x11/myphoto.jpg . How can I prevent this? this are static file, I cannot have control on how is displayed…

Well as you SHOULD know, when dealing with images there is no way you programatically protect the file.

For example

Will be served by the web server and not ColdFusion, but you could do this

In which you could then check the logged in user, and get the extension of the file somehow or pass it as

Whatever best suits youm and use cfcontent to deliver the image, the best thing is that the url path is hidden and can also be placed out of the webroot as well.

But all that goes out the window, if any of these are to be publicly viewed.

And also what the users are going to be using these images for, which you don’t mention.