I need to allow users to upload files with sensitive data to a server, then invite other authenticated users to access specific files.
This is my proposed solution:
Each user will have his own folder to which he uploads files, and the parent folder will have an .htaccess with deny all
to block direct access. (This already works well.)
Then, an invited user will get a generated SHA1 invitation id and the url will be something like download/[sha1]/file
and I can then use my controller to check if this invitation exists in the database for this authenticated user. If it does, I get the file and based on the file extension I give the appropriate header for file download.
ex:
localhost/[whatever]/download/[some_hash]/test.txt
invitation_table
invite_id - unique ID
invite_token - sha1 which will be generated by his unique email concatenated with other data
invite_invited - logged user invite
invite_user - user who invited the user
Based on the hash, I query the db and get the invite_user data and then I know in which directory I have to get the file because there can be multiple files on the server with the same name in different directories.
Is this is a good approach?