How to recover an image of the Storage Folder without passing parameter in the Laravel Route?
My current code is working, but I'm having security problems because when I pass the parameter on the route the logged in user can see the image of another user by the URL if he knows the path.
Controller
public function getAccount()
{
return view('account', ['user' => Auth::user()]);
}
public function postSaveAccount(Request $request)
{
$this->validate($request, [
'email' => 'required|email|max:100'
]);
$user = Auth::user();
$old_email = $user->email;
$user->email = $request['email'];
$user->update();
$file = $request->file('image');
$file_email = $request['email'] . '-' . $user->id . '.jpg';
$old_file_email = $old_email . '-' . $user->id . '.jpg';
$update = false;
if (Storage::disk('local')->has($old_file_email)) {
$old_file = Storage::disk('local')->get($old_file_email);
Storage::disk('local')->put($file_email, $old_file);
$update = true;
}
if ($file) {
Storage::disk('local')->put($file_email, File::get($file));
}
if ($update && $old_file_email !== $file_email) {
Storage::delete($old_file_email);
}
return redirect()->route('account');
}
public function getUserImage($file_email)
{
$file = Storage::disk('local')->get($file_email);
return Response::make($file,200,[ 'Content-Type' => 'image/jpeg']);
}
Route
Route::get('/account', [
'uses' => 'UserController@getAccount',
'as' => 'account'
]);
Route::post('/upateaccount', [
'uses' => 'UserController@postSaveAccount',
'as' => 'account.save'
]);
Route::get('/userimage/{file_email}', [
'uses' => 'UserController@getUserImage',
'as' => 'account.image'
]);
View
@if (Storage::disk('local')->has($user->email . '-' . $user->id . '.jpg'))
<section class="row new-post">
<div class="col-md-6 col-md-offset-3">
<img src ="{{ route('account.image', ['file_email' => $user->email . '-' . $user->id . '.jpg']) }}"
alt =""
class="img-responsive"
>
</div>
</section>
@endif
GitLab Repository link
I believe that this is the solution even more I can not say that the logged in user id === id, should I be passing something can anyone help? I've tried this approach at last
public function getUserImage($file_email)
{
$user = Auth::user();
$id = $this->getIdByFileName($file_email);
if($user->id === $id){
$file = Storage::disk('local')->get($file_email);
return Response::make($file,200,[ 'Content-Type' => 'image/jpeg']);
} else {
// devolve o response com status 401
}
}
Private Method
private function getIdByFileName($fileName){
$fileEmailArray = explode($fileName,"-");
$id = explode($fileEmailArray[count($fileEmailArray)-1],".")[0];
}