I am using Multer to upload some files and I am wondering what would be the recommended way to protect access to those files after upload.
我正在使用Multer上传一些文件,我想知道在上传后保护访问这些文件的推荐方法是什么。
I have 2 types of users; admin and regular user. Users are only able to upload photos and only admin can access url of the photo.
我有两种类型的用户;管理员和普通用户。用户只能上传照片,只有管理员才能访问照片的网址。
My folder structure for uploaded files: ./public/uploads/teacher/
我上传文件的文件夹结构:./ public / uploads / teacher /
This is my code:
这是我的代码:
server.js
// This is auth middleware which checks if access token is valid to access API
app.all('/api/*', [require('./validateReq')]);
app.use('/', require('./routes'));
app.use(express.static('public'));
routes/index.js
var teacher = require('./teachers.js');
router.post('/upload', teacher.uploadAvatar);
routes/teachers.js
var multer = require('multer');
var upload = multer({ dest: 'uploads/teacher/' }).single('avatar');
uploadAvatar: function(req, res) {
upload(req, res, function(err) {
console.log(req.body);
console.log(req.file);
if(err) {
return res.end("Error uploading file.");
}
res.end("File is uploaded");
});
}
If user uploads a file john_doe.png
, how can I limit access to the following Url only to teacher/admin so it's not public: localhost:8000/uploads/teacher/john_doe.png
. What would be the best practice in situations like this?
如果用户上传文件john_doe.png,我如何才能将以下网址的访问权限仅限于教师/管理员,因此它不公开:localhost:8000 / uploads / teacher / john_doe.png。在这种情况下最好的做法是什么?
1 个解决方案
#1
0
This is no different than adding an authentication process before returning resources. There are various ways to go about it. For instance, in the most basic of levels, you can use the basic authentication header. You can also use cookies (specifically, httpOnly cookies) for passing the authorization cookies and so forth.
这与在返回资源之前添加身份验证过程没有什么不同。有各种方法可以解决这个问题。例如,在最基本的级别中,您可以使用基本身份验证标头。您还可以使用cookie(特别是httpOnly cookie)来传递授权cookie等。
Seeing that you already have a middleware for something similar, you can use it to check whether the user has admin privileges before authorizing them to view the resource.
看到您已经有类似的中间件,您可以使用它来检查用户是否具有管理员权限,然后授权他们查看资源。
#1
0
This is no different than adding an authentication process before returning resources. There are various ways to go about it. For instance, in the most basic of levels, you can use the basic authentication header. You can also use cookies (specifically, httpOnly cookies) for passing the authorization cookies and so forth.
这与在返回资源之前添加身份验证过程没有什么不同。有各种方法可以解决这个问题。例如,在最基本的级别中,您可以使用基本身份验证标头。您还可以使用cookie(特别是httpOnly cookie)来传递授权cookie等。
Seeing that you already have a middleware for something similar, you can use it to check whether the user has admin privileges before authorizing them to view the resource.
看到您已经有类似的中间件,您可以使用它来检查用户是否具有管理员权限,然后授权他们查看资源。