Forums

Actually I have a TCPDF form, where users can generate a PDF.
Is there any way to grants this file only to whom generated the PDF?
It is quite complicated an user will find another PDF (he needs to find the exact filename based on a certain timestamp...), but it is quite dangerous...
Any idea?

Hi enzo.orsi,

Save the pdfs in a folder above the site root so that they are not directly accessible. Create a database table (it you don't already have it ) to link the user iD and the file name.

Check the table to see that the current user has access before sharing the files.

Bob

Sorry, maybe I was not clear🙂
I will not share any files...
I mean, I am afraid that some users will try to put in browser address the name of a document changing the timestamp...he needs to try several times, but maybe he can find and open a pdf...if he is lucky or if he has some tool to try several times...

What do you think? It is stupid?

HI enzo.orsi,

Yes it sensible - and the solution I suggested will work. You might also add a random string to the PDF name to make it harder to guess.

Bob

A part from hardness to guess...🙂 ...I am not really sure I understood your solution...is it valid if someone will put the pdf name in the address bar in the browser?

Hi enzo.orsi,

No, if the files are in a folder above the site root, then they can't be accessed by URL.

Bob

Mmm...
For example you can open

This is private content

But if you try to change the timestamp, you can access to another pdf created by another user...

I am wrong?

Hi enzo.orsi,

No, you are correct - please see my earlier posts

Bob

Thanks Bob.

I change the name of the pdf as follows:

date('YmdHis') . '_' . substr(md5(uniqid(rand(), true)), 0, 12);

It will be a little bit tricky to guess the name of a pdf😀