CodeIgniter Forums
Restricting /assets to non logged in users - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Restricting /assets to non logged in users (/showthread.php?tid=77417)



Restricting /assets to non logged in users - paulfst - 08-29-2020

Good evening,

I have been using Codeigniter 4 for some time now and I am very happy with it!
I have recently noticed the following problem, so I am asking for your advice:

I have pictures in the /assets/Pictures directory which have to be there so that they can be loaded in a HTML page with a <img>-tag.
But these pictures should only be visible for users who are logged in to my site.
Is there a way to restrict the images this way?
If I move them to another directory outside the assets folder, I can't see them anymore with <img>.

I would be very grateful for any help!

Have a nice evening,
PaulĀ  Smile


RE: Restricting /assets to non logged in users - jreklund - 08-29-2020

You need to move them and make a PHP-reader class, that you point your <img> tags to.

So all users visits e.g /assets/myimage.jpg will actually visit an Controller named Assets that will look for myimage.jpg inside your hidden folder, check if they are logged in and display it, by reading the entire image into memory and setting jpeg headers.


RE: Restricting /assets to non logged in users - paulfst - 08-30-2020

(08-29-2020, 12:18 PM)jreklund Wrote: You need to move them and make a PHP-reader class, that you point your <img> tags to.

So all users visits e.g /assets/myimage.jpg will actually visit an Controller named Assets that will look for myimage.jpg inside your hidden folder, check if they are logged in and display it, by reading the entire image into memory and setting jpeg headers.

Hi jreklund,

thanks for the fast response!

I am clear about creating a Controller for this purpose but I struggle with reading the image into memory and setting a jpeg header for it.
Can you link me an example?

This would help me out a lot!

Thanks and enjoy your weekend,
Paul


RE: Restricting /assets to non logged in users - jreklund - 08-30-2020

Hi, I'm afraid I don't have a working example in CodeIgniter 4 to show you, but I throw something untested together.

It's not the most optimal way, as it reads the ENTIRE image into memory, so depending on your image sizes you can run out of memory, so you should read it in chuncks of 1MB. But that means implementing your own Response class e.g. StreamResponse that you can chuck your bits out.
@see sendBodyByFilePath in DownloadResponse.

PHP Code:
<?php
try
{
    
// https://codeigniter.com/user_guide/libraries/files.html
    // https://www.php.net/manual/en/class.splfileinfo.php
    
$file = new \CodeIgniter\Files\File('myimage.jpg'true);

    if(
$file->isReadable())
    {
        
// https://www.php.net/manual/en/splfileinfo.openfile.php
        
$fileObj $file->openFile('r');

        
$imageString $fileObj->fread($file->getSize());

        if(
$imageString === FALSE)
        {
            
// Throw an error...
        
}

        
// https://codeigniter.com/user_guide/incoming/message.html#setHeader
        // https://codeigniter.com/user_guide/outgoing/response.html#setting-the-output
        
$this
            
->response
            
->setStatusCode(200)
            ->
setHeader('Content-Type'$file->getMimeType())
            ->
setHeader('Content-Length', (string)$file->getSize())
            ->
setBody($imageString);
    }

    
// Throw error as your image could not be read.

}
catch(
FileNotFoundException $e)
{
    
// Do some error checking




RE: Restricting /assets to non logged in users - Omar Crespo - 09-05-2020

Hi, why don't you use the simplest restriction, check if there's a session opened, if not, redirect the "intruder" to the public page. This is usually set on the header template.


RE: Restricting /assets to non logged in users - jreklund - 09-05-2020

@Omar Crespo: I can't see how that would work for images and files. You can't just say process it as normal if you have asked PHP to handle it.


RE: Restricting /assets to non logged in users - Omar Crespo - 09-06-2020

(09-05-2020, 10:22 PM)jreklund Wrote: @Omar Crespo: I can't see how that would work for images and files. You can't just say process it as normal if you have asked PHP to handle it.
Usually, you have the images posted on a view, so, if the user isn't loged in, then he will be redirected to the login page.

You won't be restricting the images, you'll be restricting the view that holds the images. After all, only loged users should access to the private pages of your website.