Javascript 保护上载的文件并仅允许授权用户访问
我正在使用Multer上传一些文件,我想知道上传后保护对这些文件的访问的推荐方法是什么 我有两种类型的用户;管理员和普通用户。用户只能上传照片,只有管理员可以访问照片的url 上载文件的我的文件夹结构:Javascript 保护上载的文件并仅允许授权用户访问,javascript,node.js,Javascript,Node.js,我正在使用Multer上传一些文件,我想知道上传后保护对这些文件的访问的推荐方法是什么 我有两种类型的用户;管理员和普通用户。用户只能上传照片,只有管理员可以访问照片的url 上载文件的我的文件夹结构:/public/uploads/teacher/ 这是我的代码: server.js // This is auth middleware which checks if access token is valid to access API app.all('/api/*', [require(
/public/uploads/teacher/
这是我的代码:
server.js
// This is auth middleware which checks if access token is valid to access API
app.all('/api/*', [require('./validateReq')]);
app.use('/', require('./routes'));
app.use(express.static('public'));
var teacher = require('./teachers.js');
router.post('/upload', teacher.uploadAvatar);
var multer = require('multer');
var upload = multer({ dest: 'uploads/teacher/' }).single('avatar');
uploadAvatar: function(req, res) {
upload(req, res, function(err) {
console.log(req.body);
console.log(req.file);
if(err) {
return res.end("Error uploading file.");
}
res.end("File is uploaded");
});
}
routes/index.js
// This is auth middleware which checks if access token is valid to access API
app.all('/api/*', [require('./validateReq')]);
app.use('/', require('./routes'));
app.use(express.static('public'));
var teacher = require('./teachers.js');
router.post('/upload', teacher.uploadAvatar);
var multer = require('multer');
var upload = multer({ dest: 'uploads/teacher/' }).single('avatar');
uploadAvatar: function(req, res) {
upload(req, res, function(err) {
console.log(req.body);
console.log(req.file);
if(err) {
return res.end("Error uploading file.");
}
res.end("File is uploaded");
});
}
routes/teachers.js
// This is auth middleware which checks if access token is valid to access API
app.all('/api/*', [require('./validateReq')]);
app.use('/', require('./routes'));
app.use(express.static('public'));
var teacher = require('./teachers.js');
router.post('/upload', teacher.uploadAvatar);
var multer = require('multer');
var upload = multer({ dest: 'uploads/teacher/' }).single('avatar');
uploadAvatar: function(req, res) {
upload(req, res, function(err) {
console.log(req.body);
console.log(req.file);
if(err) {
return res.end("Error uploading file.");
}
res.end("File is uploaded");
});
}
如果用户上传了一个文件
john_doe.png
,我如何将对以下Url的访问权限限制为只允许教师/管理员访问,使其不公开:localhost:8000/uploads/teacher/john_doe.png
。在这种情况下,最佳做法是什么?这与在返回资源之前添加身份验证过程没有什么不同。有各种各样的方法可以做到这一点。例如,在最基本的级别中,可以使用。您还可以使用cookies(特别是httpOnly cookies)来传递授权cookies等等
鉴于您已经有了类似的中间件,您可以使用它来检查用户是否具有管理员权限,然后再授权他们查看资源