DO NOT use the public folder to upload certain files, protect your files in the storage in Laravel
Downloading files is a common feature in software development Allowing the download of certain files based on some internal control determined by the business rules of your application is a common process For example the sale of files that you have hosted in the application and that once purchased by the user he can download them For this from the application we verify the payment and then allow the download
The important thing to note here is that the files cannot be hosted in the public folder as if they were an image uploaded by the upload process as we did before since anyone who knows the name of the file could access it
Remember that in a Laravel project the only folder that is publicly accessed is precisely the public folder therefore for these files that we want to control access to it is not recommended to use this folder
We can upload files to any folder in the application not just the public folder which is particularly useful for these scenarios where we want to control access to these files for example the storage folder we create a disk accordingly
config\filesystems.php
'files_sell_uploads' => [
'driver' => 'local',
'root' => app()->storagePath()
],The file upload would be something like
function uploadBook()
{
$this->rules = [
'fileBook' => 'nullable|mimes:epub,pdf|max:20024'
];
$this->validate();
if ($this->fileBook) {
$name = time() . '.' . $this->fileBook->getClientOriginalExtension();
$this->fileBook->storeAs('book', $name, 'files_sell_uploads');
YourModel::create([
'file' => $name,
'type' => $this->fileBook->getClientOriginalExtension(),
***
]);
}
}And in this example I show you based on some condition that the user must meet
if ($filePayment && $file)And be able to download the file
Storage::disk('files_sell_uploads')->download('book/' . $file->file, "book." . $file->type);It is important to clarify that the only way to access these files through the http channel would be through the previous function since the storage folder is a folder that cannot be accessed publicly the only way for a user to access these files is for us to implement an access layer like the previous function
In short the scheme presented above is great if you want to develop an online store on your application where the files to be sold are stored in the same application
public function downloadFile(File $file) //show
{
$user = auth()->user() ?? auth('sanctum')->user();
$filePayment = FilePayment::where(***)->first();
$file = File::where(***)->first();
if ($filePayment && $file) {
// return Storage::disk('files_sell_uploads')->download('book/1724355661.pdf');
return Storage::disk('files_sell_uploads')->download('book/' . $file->file, "book." . $file->type);
}
return response()->errorResponse("", 403, 'Producto no adquirido o no existe');
}Video Transcript
I wanted to quickly show you an implementation that I find very interesting that we have here in Laravel Although you can really take it to any framework here it is important to know how these types of frameworks work especially those based on php which only have one folder with public access everything else is protected and this is important because we can take advantage of it for what I want to show you in this video which is to be able to host files through an unload process for example which we already know in a protected way so here I show you a little bit what the implementation is Obviously I already have the Download process here Ill see if I can find it here quickly Control p Book and it would be this one Well you can see that I develop my project freely and use it here Im going to go down a bit and one day Ill find the can part here Look its the process that Ive taught you that I always follow in the course in which once we have the object here then we start to work with it a little bit In this case it is to create a file here Well there are some as they say some models that may not come as much as the case But the important thing is the process Download that I have here in a file called fileBook and really little more to say here you can see that it is the normal process and we store it in some location that is as always I show you that it is using one of the disks this disk unlike what we always use which is the public folder and that is why I began indicating to you Well what was commented that we can store files in any other location usually we do it from the public folder but in this case I am accessing is the Store pad why the hell am I doing this because this implementation that I am showing you is for the sale of books that I have here in desarrollolibrenet So I explain this to you because surely if you implement an application in Laravel you will surely want to have files that are not accessed publicly since the problem with this folder is that it is precisely public therefore anyone can access it regardless of whether they have or the URL since if they know what the name and the file and the location are even if you do not want to give them access is simply come here I am going to show it to you here quickly all these images that appear here are in the public folder so if I right click here to see open image a new tab here you can see that it is accessing them because again they are in a public folder which would be in my case the one I have here public image example well and here follow the location and Ah you have the image but if you are selling a resource with my case a book or it is simply a management type application in which you have some excels or something like that important that you do not want to be accessed by anyone who has access to that application you do not want you want them to be protected that is to say you want what is important based on certain business rules in my case is that the user has bought the book can access them obviously again you cannot do this if the folder is public of course you can hide the image That is to say you can hide the resource and give it a strange name based on time something like that But you can always access it regardless of whether it is showing it is listing it as me in a public way In this case by an image or it is protected For example if I had access copy URL relative so that you understand a little what I am indicating I am going to copy all this from example Note that it is from here I example that I placed it twice Well in the other Slashes lets see if I can I can I can it should appear there It is there You see That is to say I am accessing a resource in a public way and if you have a file for example a PDF here it will appear if you have an Excel here it will know Download etcetera because you are accessing the same one
So at this point I hope it has at least become clear that if you want to protect certain files either because they are an online store as in my case or because they are part of some accounting files or something like that you cannot store them in this folder because again you can access them regardless of what you implement here in your project in Laravel and that is why I used protected folders as they are any other than the public one In this case I wanted to use the storage one which is where I store the books and here are all the books How do I access them Well based on a simple function which is the one found here which is the one that leads to the end when a person buys a book from me I come here login here I am I am in my books I for example have this well what and I bought myself whatever here it can appear Compared and everything else It appears here again If they were in the public folder anyone who knows the name of this file could Access it but this gives you the advantage when it is a closed folder Although by default you cannot access it that is search for it again if you put store in the URL nothing will appear since by default it tries to access the public one and to access them what I do is a function a single function in my case because I only need one that based on some business rule in this case that there is a payment is that I can Access the book that I have purchased and from here Download it here you can see a little bit of the implementation well excuse the comments here that were for tests I have not finished cleaning it I access what is the authenticated user I verify if the user bought the book as you can see based on the conditions that I have I access the resource that is the one that wants to access here and if both exist both the book and the payment Well go ahead and download it Thats what Im doing here if you dont go through the checkout basically thats what I tell you and therefore I can come here easily and download the file that I acquired and that simple I was able to set up an online store for the books in my application
- Andrés Cruz
Develop with Laravel, Django, Flask, CodeIgniter, HTML5, CSS3, MySQL, JavaScript, Vue, Android, iOS, Flutter