Just for a brief overview. I have a system that can generate invoices and has a login system for a user to generate his/her invoices. Lets say the platform resides at /platform
and the invoices in /platform/invoices
and the platform is at the domain www.exmaple.com
. People can log in and generate their invoices which effectively generates the invoice in the invoices
folder and then via the url www.example.com/invoices/invoicename.pdf
downloads the file. The invoices folder is publically accessible to allow the system to grab the file.
However if for example clientA navigated to www.example.com/invoices/invoicename-ownedbyclientB.pdf
he would be able to download an invoice that did not belong to him.
I can certainly do things to mitigate this such as deleting the invoice after generation and downloads to keep the folder clean, disallow index on directories to stop easy navigation, change the system so that files are sent via email as opposed to downloaded to a system directory.
On the system side I can easily limit what people have access to as they are authenticated but what would be the best way to deal with the above situation. I have considered using htaccess
or similar in this directory to ensure that calls originate from the server itself (I haven't check if this is possible, just an assumption at the moment).