I’m building a site that allows an admin to upload files, each of which is associated with a client account. How can I limit file access to the intended client?
I assume that client details and file details are kept in a database. A client can have a number of files so you want to setup a one-to-many relationship between a client record and file records.
Your client logs in and your application gets the file records associated with that client. Only the files for the logged in client are shown. You’ll need to watch out for SQL injection once the client has logged in but other than that it shouldn’t be too hard to make sure that a client can view only their files.
direct access to the files must be disabled, either by the server configuration or placing them above document root
Interesting. In either case, how would an authorized client go about downloading a file associated their account if direct access is disabled? I get how I would place them above the document root, but which server config option would I need to modify to prevent access?
In either case, how would an authorized client go about downloading a file associated their account if direct access is disabled?
That’s another question. Described thousands of times in this forum though.
But disabling direct access is the only way to achieve your goal, it’s a thing to start from
which server config option would I need to modify to prevent access?
Deny From All
for the apache webserver