Just a thought...

It appears that you need the server to step in here!

Controlling access to the directories and files is it's job. Even though, we may have to help it out as much as possible, it is still the up to the server to handle this.

We do this by placing an empty index.html, default.html or whatever your server requires as the natural "default" file to load if the directory is accidentally accessed by itself. The html file should have the head, title, body tags (with or without a message) and the proper closing tags as well. This just gives them a blank page in their browser.

Also, look at placing a -Indexes and other directory access controlling allow/deny parameters in a separate .htaccess file in ANY directory you do not want the server to return a listing of, to a browser. Your scripts run under a different id/permission and can bypass the .htaccess .

http://httpd.apache.org/docs/1.3/howto/htaccess.html is a good reference link to read more on this subject.

Ahhh, but they may be nosy and know the pattern and type it in directly, including the logfile name

To solve this, combine the first cgi that handles the login and returns a filtered list of the files you want them to see with an .htaccess file the directory to serve a 403 Forbidden on a direct - directory access

Using the second cgi script activated by the link/s to get and spit out the logfile results. You can still meet the requirements of the soft links by linking to the new script that gets the data for the file the user chooses.

My only caution on this is to make sure that the path to the file is as hard coded as possible as you want to prevent Reverse Directory Transversal. You will have to do some pattern matching on the input to look for anything that is a \,.,../, or other cracking pattern/technique. If you do get a pattern match, deny any further execution of the script and make a separate log entry in a file for you to review later. Don't get caught up in filtering it out and substituting to be a nice guy, just deny the execution, make them go back and do it right. We don't want to help the wrong group of users here.