here's the scenario... company has lots of existing reports that they pull from their own system and don't want to recreate them in their web app. Instead, I'm creating a way for them to manage uploading these reports (their system creates the pdf files, I just need to provide them the interface to upload/manage them, and of course the user facing interface to retrieve them).
I thought I had it all worked out until I realized that even though using my interface (the web app) users will only ever see the reports they are allowed to see, there is currently nothing stopping a user from directly downloading a report file they are not supposed to if they know the path and file name.
Example folder structure on server for the uploads:
so, only users that have a matching clientID associated with their accounts should be able to access the files within the folder matching that clientID... and user accounts *can* have multiple clientID's associated with their account. I have no problem make this happend within my web UI, but again, if a user knew the actual path, they could access other client's reports, which obviously is ver
View Complete Post