Private folders per user
To create separate directories for users, you need to create a simple mechanism to map the current user to an appropriate directory path.
When building the directory path, you should remember about the following that may lead to path traversal attacks:
- Do not reveal any sensitive information.
- Do not use any insecure data.
To set a private directory for the current user, you need to dynamically change the configuration in the current HTTP request scope. This can be done with a custom event listener component that listens for the GetConfigForRequestEvent
event.
In the example below, it is assumed that the user has been authenticated and their username is stored in the username
session attribute. The private user directory path is built using the current user username, so each user has their own directory inside the /tmp
folder (e.g. /tmp/user1
, /tmp/user2
).