[Question] Securing Images and Downloads

[lucadegasperi]

Hello,
As part of a project that handles sensitive images/documents how would you go about making sure that only the right users can view a certain media?

Currently my idea is the following:

• Store everything in the storage/app folder instead of the public one.
• Make sure that the generated url for a media is /media/{media-id}-filename.extension
• Create a controller that handles all the calls coming in from /media
• In the controller run the policy of the model connected to the media, and either return the media or return an error.

My doubts are the following:

• Is this solution secure and well performing?
• Is there a way to defer the download and check for permissions to something like S3, or the file has to be obligatorily streamed from my server in order for me to check for permission?

Thank you for your time!

[freekmurze]

This package doesn't handle anything regarding permissions, that's something you should handle yourself in your app.

A pragmatic way to go about this is to let the medialibrary use unguessable urls. You could for example use a path generator to obfuscate all urls.

Here are the docs on path generators:
https://docs.spatie.be/laravel-medialibrary/v6/advanced-usage/using-a-custom-directory-structure

And here's an example of a path generator from the tests:
https://github.com/spatie/laravel-medialibrary/blob/5.0.0/tests/PathGenerator/CustomPathGenerator.php