Home/ Questions/Q 8489713
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T21:54:17+00:00

I am building a web application in PHP. Users will access with their accounts.

  • 0

I am building a web application in PHP. Users will access with their accounts. They will have resources like their pictures, notes, etc. in the system, as in Facebook.

My first problem is not letting anybody to access an account’s private resource. Let say this is a picture. There are 3 situations:

  1. Everybody can access to that picture with URL of picture.
  2. A friend account of that picture’s owner account can access that picture.
  3. Only owner account can see that picture, no body else. Even with URL of picture.

I don’t know if Facebook does anything like point 1. Because business is important, and also privacy of users.

My first idea was making all resource accesses through a PHP file. But after a while it looked like really complex.

My another idea was keeping a list of all resources in a database table, and privacy setting together. This looks like a better idea, but I am not sure how performance will be affected in time.

What are your thoughts, how would you build a system like this?

P.S. I am planning to add one more web application, and create a shared resource area to put shared resource into. I will need same privilege system there as well.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In my experience you can best solve this by uploading your files to a directory that is not available publicly. Then you would also have some table in your database where you’d have at least three columns: the name of the file, the access level you want to give it and the user that uploaded the file.

    You could then write something that checks if the visiting user has access to the file. First it would retrieve the column containing information about the mentioned file. Based on that information, if the user has access, use readfile (see the example on the PHP manual) to display the file. In all other case you could just show a 403 Forbidden page.

    In your case the function that checks access would look something like this:

    function hasAccess($accesslevel, $owner, $visitor) 
{
    if ($accesslevel === 'public') {
        return true;
    }
    if ($accesslevel === 'private') {
        return $owner === $visitor;
    }
    if ($accesslevel === 'friends') {
        return $owner === $visitor || isfriend($visitor, $owner);
    }
}

    This is just an example, your implementation would probably be a little different, depending on your environment.

    As far as I know Facebook just allows all files to be viewed by everyone, but tries to create a url that is difficult to guess. As soon as you’ve got the url, you can just view the image itself, regardless of the privacy-settings of the user that uploaded the image.

    • 0