htaccess and url variables

deshg · Joined: 29 Mar 2007 Posts: 4

Hey everyone, i think i'm writing in the correct forum, my apologies if i'm not. I have an htaccess file that controls user access to numbered zip files within a directory (so there are files 1.zip, 2.zip, 3.zip and users could have access to none, one, some or all of them. Currently these are split into folders (also named 1,2,3 etc) and each has an htaccess file which is identical to the others except the group require line matches the folder/zip name, hence confirming the current user is a member of that section and should be able to access it (via an authentication table within my mysql db).
This was fine when i only had a couple of files so i would manually copy and paste the htaccess file and change the group require line. Now i am adding a lot more zip files using a web interface and i really really do not want to have to copy and edit a new htaccess file for each one. As a result what i wanted to do was put an htaccess file in one directory with all the zip files (still numbered 1.zip, 2.zip...) and then have the group require value be pulled from the url. ie the zips are always accessed via mysite.com/zips/download=2 for 2.zip or download=3 for 3.zip. If it could pull this url variable and use that for group require then that would be perfect.

Problem is i don't think it's possible to access url variables using htacess (from what i just read on another post in this forum and on the net). That being the case can anyone suggest how i can go about doing this?

If it's not possible the only way i can think of is to use a php script to automatically write the htaccess file on the fly when the new zip sets are being created/uploaded and then placing it in the relevant directory. It seems a little dangerous allowing a php script to alter the htaccess file and also a little unnecessary to repeat the htaccess file continually when it's almost identical though?

I would really, really appreciate any pointers anyone could give as this has got me really stumped!

Thanks very much in advance everyone,

Dave

dcz · Posted: Fri Mar 30, 2007 9:34 am Post subject: Re: htaccess and url variables

And welcome Very Happy

What you seem to want to do is simple :

deshg · Joined: 29 Mar 2007 Posts: 4

Thank you very much for your reply, but i don't think i explained what i was trying to do clearly. My htaccess file is as follows:

AuthType Basic
AuthName "access"
AuthMYSQLhost localhost
AuthMYSQLuser user
AuthMySQLPassword pass
AuthMySQLDB db
AuthMySQLUserTable table
AuthMySQLNameField FUsername
AuthMySQLPasswordField FPassword
AuthMySQLGroupTable TSubscription
AuthMySQLGroupField FAccessSection
AuthMySQLEnable On
AuthMySQLPwEncryption none
require group xxx

So i am doing the file authentication inside the htaccess file, preventing users that shouldn't downloading files. The download.php file causes the actual file download. The problem is i want to take the variable out of the url and put it dynamically in the bottom line of htaccess file where xxx is, rather than using it in a url rewrite. I'm not sure if this is even possible!?

Any thoughts on this would be much appreciated, my apologies i wasn't more clear the first time around Smile

,

Dave

dcz · Posted: Fri Mar 30, 2007 12:39 pm Post subject: Re: htaccess and url variables

Well, pretty much everything is possible with mod_rewrite, but I'm not sure it's the most adapted in your case. And you'd need a script still to do it I think, called through the RewriteMap command.

PHP is a lot more flexible to deal with SQL and authorisations.

It would be quite simple I think to just send an id to a php file, check if user is logged in and has enough privilege and send the proper file (from the id) with a simple readfile and proper headers.

++

deshg · Joined: 29 Mar 2007 Posts: 4

That makes perfect sense, the problem is though if i do that won't it allow people (if they can find the direct url) to directly access the zip files (not via the php script) and download them irrelevant of their membership level because there's no actual htaccess protection on the files?

Thanks,

Dave

dcz · Posted: Sun Apr 01, 2007 2:06 pm Post subject: Re: htaccess and url variables

That's where running a download manager such as pafiledb can be a solution.
Of course this require some coding to reuse your current user base, but this can really be faster than recoding a download manager from scratch, and I really think that the Apache based trick you started using is reaching its limits.

With such application, you could set up precise authorisations, report broken links, give moderating rights and etc ...

Now, it's not necessarily adapted if you really run per/user based authorisations where every user would have a special set of files, potentially all different from others.

It looks like you need to redesign your download application, this require to know exactly what type of authorisations you'd be willing to provide and eventually to modify the first plans a bit.

My advise is to think about it well before you decide, you don't want to run in the same type of problem once your needs really becomes huge. The solution should be final and this can involve redesigning most of what's used now, thus time.
But it is worth it if the solution is final.

++

deshg · Joined: 29 Mar 2007 Posts: 4

Thank you very much for your help, i just wanted to let you (and anyone else should it be of any interest) that i have written a php script that outputs the .htaccess file into an automatically created directory appending the directory name to the group require line in each case hence allowing directory/zip specific download rights control to be per user per zip file. This seems to work absolutely perfectly and unless there is some security issue that i'm not thinking of it seems to be a good solution (albeit involving slightly more directories than the one originally intended, which turned out to be impossible).

Anyway thanks again so much for your help, if you have any thoughts that this may be insecure then i'd be very interested to hear them, otherwise thanks very much again,

Dave

dcz · Posted: Tue Apr 03, 2007 11:29 pm Post subject: Re: htaccess and url variables

Well I guess it's ok to do as you do as long as you take care about CHMOD a bit.

Would be better I think if you'd CHMOD your .htaccess back to 0644 after you've created it, just in case you didn't.

++