Hi,
I see the problem, that it's quite difficult to prevent unauthorized access to uploaded files (usually into folder /images).
When a person has the URL, to an image or another files that has been uploaded (also saved there), that person is able to access the file even if the person has no permission to access the concerning table. Here ( viewtopic.php?f=11&t=2856&p=15242#p9355 ) is how this can be prevented - but I have a feature request that this should be changed.
Instead of linking to the file directly, please link to a download script only.
A nice description with example code can be found here: https://www.web-development-blog.com/ph ... le-script/
Each time the user sees an "image" there would also be the need for the use of a script as the "image" might not be in webroot but somewhere on path that is inaccessible by URL.
Also this would introduce changes to the upload behavior as uploaded files may be placed outside the webroot.
I see some work here, but this has been done many times before (e.g. Moodle (moodle.org) a open source learn management system uses this approach) and it would make uploaded files much more secure.
Olaf
uploaded files: no direct link but download.php
uploaded files: no direct link but download.php
Some postings I was involved, you might find useful:
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view