I have a system where employees can upload files. There are three ways
Upload to my account in public, private or protected mode
Upload to department account in public, private or protected mode
Upload to organization account in public, private or protected mode
where public is visible to anyone, private to the group or person only and protected to anyone in the organization.
All the files for an organization are stored in a directory say, /files/<organizationId>/, on file server like
files
+-- 234809
| +img1.jpg
| +doc1.pdf
+-- 808234
| +doc2.pdf
I am storing file-path and privacy level in DB. So, I can control whether to show link to a file URL to an user -- on a given page.
The problem is, I do not have any control over file's URL... so, if some one types the URL to img1.jpg in his browser's address bar, there is no way to know whether a logged in user is eligible to see img1.jpg.
Any suggestion?
Its a Java application. However, there's a separate instance of Glassfish working as file-server. Since the app is not released yet, so we are open to adopt to a better file access strategy.
The user who are accessing the files may or may not be logged in. But we can always, authenticate a user by redirecting to login page if we know that the file that is being accessed, is a private or shared.
Thanks
Nishant