Question 422477 in PHP Question posted in
Official manual can be found here.

Php – Restrict Unauthorized Access to Profile Images in CodeIgniter 4

I’m currently facing an issue with profile image access in my CodeIgniter 4 (ci4) application. After a user logs in, they can access the "Match Profile" and "View Profile" pages, and this functionality is working as expected. However, there’s a problem: if someone shares a direct URL to a profile image, it can be viewed without logging in.

I want to ensure that profile images cannot be viewed without being logged in.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0 
    // Controllers name

namespace AppControllers;

use CodeIgniterController;

class ImageController extends Controller
{
    public function viewImage($imageName)
    {
        // Start session
        $session = session();

        // Check if the user is logged in
        if (!$session->has('userid')) {
            // Redirect to the login page or show a 403 error
            return redirect()->to('/');
        }

        // Define the path to the image
        $filePath = WRITEPATH . '../profile_img/' . $imageName;

        // Check if the file exists
        if (!is_file($filePath)) {
            throw CodeIgniterExceptionsPageNotFoundException::forPageNotFound();
        }

        // Serve the file as a response
        $fileInfo = new CodeIgniterFilesFile($filePath);
        return $this->response->setHeader('Content-Type', $fileInfo->getMimeType())
                              ->setBody(file_get_contents($filePath));
    }
}

  2. 0

    You can store your images outside the public directory which can be accessed by anyone and serve them using a controller in which you can check if the user is logged in, this is an example of a controller you can create:

    <?php

namespace AppControllers;

class UserImages extends BaseController
{
    public function index($image)
    {
        // replace "private" with an other directory if you prefer
        $imageName = ROOTPATH . "private/" . $image;
        if (file_exists($imageName) && isLoggedIn()) {
            $mime = mime_content_type($imageName);
            header('Content-Length: ' . filesize($imageName));
            header("Content-Type: $mime");
            header('Content-Disposition: inline; filename="' . $imageName . '";');
            readfile($imageName);
            exit();
        }
        throw CodeIgniterExceptionsPageNotFoundException::forPageNotFound();
    }

    protected function isLoggedIn(): bool
    {
        // replace this with your session variable
        return (bool) session()->get('your session value goes here');
    }
}

    You’ll also need to create a folder named "private" in the root of your project where you can store the images and you’ll need to add the route to your Routes.php file.

    Credits to this answer for the code i used to return the image.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search