#Templating system for laravel.

Let me try to explain this as best as i can. Basically i wanna create a templating system where admins can upload html files from a administrator panel. And load these files for the end user in an iframe ofcourse i want to do this in a safe way without a possibility of a security breach. My idea was to create one GET route like this /file/{file} and create a controller that takes the file from local storage and displays it in the page in an iframe and if the file is not there return a 404 page. The reason i want to do this is to avoid messing with cpanel everytime or overwriting project files every single time i made a new php page including a new file. and wanna do most of the stuff from the backend. Obvious you boys 'n girls are a lot more skilled than i am so would love your guys opinion on how to safely implement something like this.

thanks for reading and hope you guys can help me 🙂

So, my 2 cents - don't take this as gospel, I'm sure you know your project much better than I do.

• I wouldn't upload and store files.
• I would use a File model, with a longtext/blob column, representing the file.

Model storage means you can directly route-model bind the file contents, without needing to hack together temporary URLs and guards for the sake of security.

Also means you can create on-site editors much, much easier

If the files aren't from trusted sources, I'd also suggest stripping script tags, for the sake of preventing injection

but would stripping script tags not result in some function of this html no longer working?

It would, yep

and if i look at this https://laravel.com/docs/5.1/routing#route-model-binding in the docs i would have to work with ids? when they stored in the db?

Yeah, you can use the default ID or choose GUIDs, but you can route-model bind to any column, so you won't need to display the id in the URL

I needed to do a similar thing recently actually. The agency i work at, we work with pharma clients and there's soooo many revisions to everything we do because of legal and compliance, and there's a 30+ page pdf for each revision we do too, so it gets to be a lot to manage.

Sooooo, I built a client portal that allows them to view each job, its associated deliverable assets, along with every completed revision. Every revision has a related PDF as well, that gets uploaded to S3.

On my PDF model, I have the following method:

public function getUrlAttribute(): string
{
  return Storage::disk('s3')
            ->temporaryUrl(
              $this->path, 
              now()->addDays(7)
            );
}

In my laravel application, whenever I reference my Pdf model, I can access that generated URL such as: $pdf->url

Yeah, this would be my second suggestion, using something like s3 and temp urls

Then, on my front end I would use an iFrame with the source set to the $pdf->url.

this complete sounds like rocket science to me haha

ahahahahahah

If you're newer to laravel and S3, blob model may be an easier route for you 😆

yh your suggestion seemed the most easy one

As long as you're not uploading 10mb html files 😅

(Or 1000s of files)

only thing i am not sure off is how i can then get them to show again in the iframe as file1, file2, etc when they stored in the db

Yeah! Joee's would definitely be the simplest solution to get up and running with, but if you get to deal with larger files, you'll want to consider another option.

cause each file has a different show.blade.php file

and diff route

I'd checkout these docs if you want to learn more about filesystems, s3, and temp urls!

https://laravel.com/docs/9.x/filesystem#file-urls

thanks ye thing is the urls don't have to be temp but keep existing if ygm its like a book you wanna add pages to after release

and for the file storage this is what i first thought about but its not secure i guess i mean the files uploaded are not supposed to be hidden or contain any sensitive info

For that, I would look at the authorization docs! (https://laravel.com/docs/9.x/authorization#policy-methods) you can define the authorization rules to determine if a specific user can, or can't access a specific model.

So you could have a FilePolicy with a view(User $user, File $file) method, that checks if the currently authenticated $user (the first param) has access to the requested $file (the second param)

• If they can access it, you can download the file and go about your business.
• If the user isn't allowed to access that file, you can act accordingly.

In my case, I had to setup a PDFPolicy to limit downloading and viewing certain Pdfs to members of the team that owns the Pdf.

i gunna read all the info you guys provided me and see what can be done and then go to the sketching table to see how i will do it with the info both of you provided its a lot of info right now to suck up if ygm haha

and if i run into trouble i guess i will post here to see what can be done

Always happy to help!! :)