Symbolic link from public/storage to storage/app/public still makes the files in the storage directory accessible from the web

What I have done

When I researched about storing files in laravel. I came across two approaches.

  1. Storing the assets directly inside the public folder.
  2. Creating a symbolic link from public/storage to
    storage/app/public

When I researched about which one two use, I came across this stack overflow link. 👉 Difference between storing files in public directory and in storage in Laravel 5.4
In this link in the top answer it was mentioned,

Public folder means files will be publicly accessible.

For example an image stored in
public/images/my-image.jpegcan be viewed by anyone by
going to mysite.com/images/my-image.jpeg

However, files stored in storage directory are only available to your
app.

👆 Since, including in the mentioned stack overflow post above, and many other posts I have read on different platforms implied the fact that files in the public directory are web accessible whereas the files inside the storage directory are not, I tried to test this by storing files both in the public directory and in the storage directory one at a time, and then checking if the files are accessible through the web url.

My attempts went as below,

  1. First I added the path images/ in the public
    directory and placed some images (Let us say
    test1.jpg, test2.jpg and
    test3.jpg) into that directory. Then inside my blade
    template for the src attribute of my
    img tags I referred to them as
    URL('images/test1.jpg') etc… and they were indeed
    rendered on the webpage. Then I also tried to access the images from
    the url by going to
    http://localhost:8000/images/test.jpg. The result was
    as expected, The images were rendered on the web page + they were
    accessible from the url
  2. Then I ran the command php artisan storage:link
    on the console, which according to the articles I read, should
    create a symbolic link between the directories
    public/storage and storage/app/public.
    As soon as I ran the command, I got a new folder called
    storage created in the public
    directory. Then I moved all my images to that
    public/storage directory. Then set the
    src attribute my img tags as
    URL('storage/test1.img') etc… the images were
    rendered on the web page. Then I tried to check if the images are
    still accessible from the url. for that on the url bar I went to
    http://localhost:8000/storage/test1.jpg. The
    images were STILL ACCESSIBLE from the url.

Problem

However, according to the answer I have mentioned and some other similar links, I expected those images to not be accessible from the url in the 2) above since the images should now be actually in the storage/app/public which we have created a symbolic link to from public/storage. (Files inside the storage directory should not be publicly accessible right?)

This led me to two questions,

  1. Why are the images are still being accessible from the url even after I created a symbolic link from public/storage to storage/app/public and stored the images in the public/storage directory?
  2. As happened with my case, if the files in the
    public/storage are still accessible through the web
    url, what are the advantages of actually creating the symbolic link?
    It does not seem to offer any more security since the files are
    still accessible from the url.

It would be really helpful if anyone can help me understand the answers to the above two questions I have. Thanks.

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

What’s happening to you is the expected behavior.

The purpose of Laravel storage is to interact with your local files and make use of Laravel helpers, besides being easily shared across deployments.
Saying that I would avoid moving your files directly to your public folder.

On the other hand, by adding files to your storage/app/public folder you are assuming that those files will be publicly accessible, but they won’t be until you create a symbolic link which is a special kind of file that points to another file.
When you create a symbolic link you are saying “hey, if the user reaches http://localhost:8000/storage/ just show the files stored in storage/app/public

So if you want private files (and you have created a symbolic link) just don’t upload them to your storage/app/public folder, instead of that put your private files out from the public folder such as storage/app/myfiles

He are your answers:

1 – Why are the images are still being accessible from the url even
after I created a symbolic link from public/storage to
storage/app/public and stored the images in the public/storage
directory?

Because in fact, you have created a symbolic link for that purpose, making the storage/app/public publicly accessible.

2 – As happened with my case, if the files in the public/storage are
still accessible through the web url, what are the advantages of
actually creating the symbolic link? It does not seem to offer any
more security since the files are still accessible from the url.

As said, the advantage is to make use of Laravel filesystem. The public link doesn’t determine the privacy of your files

Method 2

You might have many different types of files in one project. Some are accessible to the public, like images embedded in a website (as your example shows), and some are private files, let’s say, for example, a pdf of a private report.

Any file that is accessible to the public can be stored in either storage/public or directly in public. As you have observed, no difference there since the former would have a symlink established.

However, private files cannot be stored storage/public (if symlink is established) and especially not directly in public folder for obvious reasons.

Those files can go in storage/app/NOT_PUBLIC_REPO. These files should be made accessible via protected routes (along with signed routes if you want extra protection).


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x