How to check if user is authenticated to access script

[SnapDaddy]

Greetings All,

I have a custom php script that will download a file outside of web root to prevent direct URL access to that file.

My Question: What code should I add to my download script to only allow access to users in a particular user group or groups?

Thanks! 

[Ruud]

You can try checking the $_SESSION['groups'] data that should have a list of the assigned groups for the current user.

Another option is to use the Gallery module and put it in a page available to one or more groups.

[SnapDaddy]

Thanks Ruud,

I'm using Download Gallery 2 now. Even though I have the page to the DLG set to registered, you can still access the files directly via URL because they need to be within the media folder. I don't want to use .htaccess for obvious reasons. I want to use WB's registered users / groups.
 
Will the Gallery module you suggested allow non-direct access to the files?

Essentially, I'm needed to protect documents (PDF, doc, xls, etc.) that have our dealer / dist pricing and make them only accessible by registered dealers / dist in their respective groups. 

[SnapDaddy]

Ruud,

Just followed the link to the developer's page. It's a newer version of the same download gallery I'm already using. Unfortunately, It doesn't state if it supports files located outside of web root (public_html).

For now, my only option would be to continue down the path with a custom script that will download file outside of root and make sure I can limit access to script by user / group.

If anyone else has other suggestions, that would be helpful! 

[Ruud]

If your script is included in WB someway (like using include() in a code page) you should be able to use the session variables of WB.

Code: [Select]

$_SESSION['USER_ID'];
$_SESSION['USERNAME'];
$_SESSION['GROUPS_ID'];  //(comma seperated list of assigned groups)

If your script has to run external only you can try to hook in the WB session by setting the session_name that WB uses. (different for each installation, something like "wb_nnnn_session_id" ) All browsers currently have some debugging info (press F12) where you can find the session cookie name.

These few lines will show the assigned session variables.

Code: [Select]

<?php 
session_name('wb_9210_session_id');
session_start();
var_dump($_SESSION);
?>If you see the assigned session variables you should be able to use it in your script this way.

[CaptainRob]

Hello SnapDaddy,

To secure files in your media directory, you can use the script mentioned in this thread:

http://www.WebsiteBaker.org/forum/index.php/topic,17482.0.html

Greetings,
Rob

[benos]

Hello,

I have exactly  the same problem.

Does any one can re-explain simply the final solution, if any works?

Thanks a lot for your help...