Restricting Access

Perobl has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks.

I'm building an online document management system using Perl & MySQL. I plan to store uploaded files to a directory on the server. All of the metadata about these files will be stored in a DB table (including the file paths pointing to the files). A Perl script governs the process. Target server is Apache.

I'd like to restrict access to the directory where the files will be stored. I'm guessing the best way to do this is via .htaccess. Please correct me if I'm wrong.

Assuming I set this up via .htaccess, how do I still permit my Perl script to allow users to upload files to the server? In other words, I'd like to permit the script to upload files at the user's request while simultaneously preventing unscrupulous users from accessing (viewing) the files directly simply by keying in the URL. The data is sensitive.

Thank you!

Comment on Restricting Access

Replies are listed 'Best First'.
Re: Restricting Access by ikegami (Patriarch) on Aug 30, 2010 at 17:47 UTC
Access control requires two things: authentication and authorisation. Apache can do basic and digest authentication (authentication), and Apache can control which user can access which script (authorisation). Both of these can be configured via htaccess. If that authorisation isn't fine grained enough for you (i.e. you want to control access to records, not to urls), you can do the autorisation in the Perl script by grabbing the authenticated user from `$cgi->remote_user`. You could also do the authorisation yourself if you wish to wish to allow users to logout or become other users. This is a bit more involved since it requires maintaining a state over multiple requests. This is usually done using a session.	[reply] [d/l]
Re: Restricting Access by JavaFan (Canon) on Aug 30, 2010 at 17:21 UTC
I miss the Perl question here. How you map URIs to file names is a matter of server configuration. Note that if there's no mapping of an URI to a file name, there's no way a user can access a file by typing in a URI. You can find Apache server documentation here.	[reply]
Re: Restricting Access by aquarium (Curate) on Aug 30, 2010 at 23:26 UTC
Regardless of any .htaccess for login controls..a combination of the apache config and OS file permissions on the script itself will yield the result you're after. simply having a apache config directive to not allow www access to a directory prevents direct access via browser to the directory...and this directive doesn't affect permissions for your script, as these are OS file permissions. all the machinations of the perl script happen before the presentation layer stuff occurs, the apache config being part of the presentation layer setup. and then later you have the actual browser/client and any associated javascript etc. the hardest line to type correctly is: stty erase ^H	[reply]
Re: Restricting Access by locked_user sundialsvc4 (Abbot) on Aug 30, 2010 at 21:48 UTC
At the risk of stating the very obvious thing here ... “that’s been done before.” Why, then, are you building “Yet Another Online Document Management System?”