views:

162

answers:

3

.htaccess files are not my strong point.

I have document uploads going to /uploads. The user should be able to view the documents they've just uploaded by clicking on the document link that appears via ajax after uploading is completed.

However, I would like to be able to password protect the /uploads folder BUT still enable the current user to view the clicked document without having a password request appear.

Is this possible to do in .htaccess?

Thanks for any suggestions.

+1  A: 

You could use cookie based authentication (mod_auth_cookie) to grant access via htaccess for a particular location.

I am not sure if setting the cookie path to the specific file will work, but its worth a try.

You are better off doing this in the app layer though.

EDIT: This may be a better solution

Matt
A: 

I don't think this is possible in .htaccess - since .htaccess has no way of knowing which user uploaded which files. Even if it did (e.g. by putting files in uploads/username/), I don't think .htaccess files are the way to go. I think you'll probably want to enforce this at the application level.

Dominic Rodger
+2  A: 

Unless you are using HTTP auth to authenticate your user before the upload, this probably cannot be simply done with just .htaccess. You need to know file's owner and compare it with current user, which is way beyond the scope of usual web server's capabilities.

If you may use Nginx or Lighttpd, you may use X-Accel-Redirect/X-Sendfile header. There's also a module for Apache2 called mod_xsendfile. Make all request to /uploads transparently pass through your application, verify access then tell web server to send file. While this requires the ability to configure the web server (which is sometimes not possible) this is probably the most correct and universal solution.

Here are some useful links:

drdaeman