If you put a file in public folder it will be accessible to everyone who knows the file name, because nginx/apache rewrite rules used by Laravel only apply to non-existing files, so Laravel won't even be run when accessing an existing file.
So, you still have to put restricted files somewhere out of public folder. Maybe in storage folder, but ultimately it doesn't matter.
And yes, you should just use Response::download.
Make a small FileController:
class FileController extends Controller {
public function __construct()
{
$this->middleware('auth');
}
public function getFile($filename)
{
return response()-
>download(storage_path($filename), null, [], null);
}
}
The fourth argument of download() being null prevents the Content-Disposition header being set to attachment. So your browser won't ask you save the file, but just show it.
Then add a route:
Route::get('file/{filename}', 'FileController@getFile')->where('filename', '^[^/]+$');
And that's it. Now, your authenticated users can download files from storage folder (but not its subfolders) by calling http://yoursite.com/file/secret.jpg. Add you can use this URL in src attribute of an image tag.
Top comments (0)