By default, symfony uploades file to web/upload folder, so they are accessible for anyone. I need to check user credentials on every request to a file. How should I do this?

Move your uploads outside of your webroot, like in /data/uploads. In that case, you'll need to put this in your ProjectConfiguration file:

sfConfig::set('sf_upload_dir' => sfConfig::get("sf_data_dir") . DIRECTORY_SEPARATOR . 'uploads');

Provided that you always used sf_upload_dir to specify the uploads folder, all your files will get saved there.

The second part of the solution needs a new action, that gets a filename, checks if the user has access to it, and returns:

• either a 403 error
• or the file contents via readfile(), after setting the correct Content-Type and Content-Lenght headers.