perl-asp mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rich...@crosswired.co.uk
Subject Security implemention question
Date Fri, 03 Jan 2003 09:59:06 GMT
Hi all.
   I am working on an application for which there are two levels of user.
User level 1 must upload files to the server, and user level 2 must be able
to download any files uploaded by users of level 1.
I have already implemented page level security to restrict each level user to
the pages for which they are authorised. My problem is that for user level 2
to be able to download these files, they must be placed somewhere within the
webroot.  I want to prevent user level 1 from downloading these files as they
are only intended for downloading by users of level 2.

The only idea I had was to store all files outside of the webroot, and when a
user of level 2 wants to download these files, they are copied to somewhere in
the webroot, with a filename such as
"$current-PID_$current-unixtime_$filename".  Furthermore, periodically, (every
hour for example), delete all files in this folder which are older than an
hour.  

This way, by also preventing directory listing of this folder, the only way a
user of level 1 could get these files would be to guess the PID, unix
timestamp, and filename, all within an hour (before they are cleaned away
again).
This I dont think is very likely.

Can anyone either point out any major problems with this approach, or
alternatively (preferably), suggest a better alternative ?
In case it makes any difference to peoples ideas/views, I am not using Apache
for access control.  Users authenticate against a database, then on each page
they visit, their user level (taken from the session object) is checked
against the access level required for that page.

I am using Apache::ASP (latest), mod_perl 1.99, Apache2 (latest), perl 5.6.1

Thanks for any advice / feedback

Richard



---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org


Mime
View raw message