With DotNetNuke, I discovered the option to use secure folders. How can we keep the full URL of a file within a given security folder normal? (i.e. without the token process attached to the URL and displaying the full path to the folder).
There are a number of reasons why I would need the path/name of a file readable to it's original location. Yes I want the folder to be only accessible to members privileged to that location, but not at the expense of changing the path / file name with a token.
So regardless if you are logged in or not, you should notice the existance of
http://dnnsite.com/my-secure-folder/my-file.pdf
If you are logged out, then an action occurs saying you are not permitted to view this file.
If you are logged in, then you have full view access to this URL
Thanks
It would not be secure then. To access a file in the way your url is formed, you have to use a "normal" folder, but you cannot achieve your goal to restrict access.
To explain: Files that are uploaded to a secure folder get an extra extension (".resources") to their original file name. Files with this extension will not be delivered by IIS (at least not in the default settings), and DNN provides a file handler ("LinkClick.aspx") that delivers the file with this extension, and also ensures that the user who tries to access the file hat the required permissions in the secure folder.
What you can do on your site is something like a link in an HTML module that is available to everyone, but uses the file handler to access the file, and the folder is restriced to a specific role (http://dnnsite.com/my-secure-folder/my-file.pdf). This leads to the login screen when a user is not logged in.
Related
While downloading a File from SF Community from a Customer User Login, the LWC code takes the page to a URL where the file gets downloaded, now lets say that this URL gets passed to another Customer User and now he is also able to download this file. So my question here is how do I restrict the access such that even if others get the download file URL the system should not allow them to download the file.
File Download Link:
https://crmitdev-aramco.cs219.force.com/aramcotrainee/sfc/servlet.shepherd/document/download/0698G000000F76yPAC
Thank you
In a CakePHP3 application that requires Authentication/Authorization, I have the possibility of images being uploaded. Now I would like to avoid Users being able to see other users images by e.g. guessing image names or such. Also I would like to use the ids of the entities as filenames which would make it also easy to guess.
So how would you implement authorization for assets?
I would prevent the "guessing" of filenames just by generating a random long enough unguessable string of chars as the new filename, like Facebook does with uploading photos:
Because we shouldn't bother at all with the original name of files, we could rename the file that a user uploads. For example User 24976 uploads a file that is called tomato12.png. The upload script will then rename the file to (for example) the following name:
1481540475_24976_iDewM51NYrBYgnIh.png
It consists out of four parts:
[timestamp]_[userId]_[randomString].[suffix]
And then, save the filename into the database. If you would look into the uploads directory, you could be able to see which user has uploaded which file, but an outsider that has no rights to see the directory index would never be able to guess the name of a file. No authentication needed.
I have Yii2 application where users can upload and share files of different types. Once a file is uploaded, it could be downloaded only by certain other users and there are a whole bunch of checks that go behind this process.
My problem is that the files are stored on the server and if someone has the link directly to the file then they can easily be downloaded without going through any kind of authorization or security checks. How can I prevent this?
P.S. It could be any kind of solution, not one related to Yii2.
The following approach comes to my mind.
Store the files at a location in file system that is not made publicly accessible by a web server.
Make them available by reading them from file system and sending them to browser when the user retrieves the URL that also does the security checks. A redirect to another URL that does not do security checks has to be avoided.
If you give more details about a more specific problem or question people can give you more specific information.
I hit the below error when trying to insert the permission
"code": 403,
"message": "The authenticated user has not granted the app xxx write access to the child file xxx, which would be affected by the operation on the parent"
Here is what I am doing
We have two Google Account,
1. API Account - we used to create folder and change the ownership to Business account
2. Business Account - upload a file
now we try to share to folder to customer and we hit the above error
And here I using OAuth 2.0 Installed Applications to get the access token.
Please advise what is wrong I am doing here
I had the same issue but I realize that its because of the scope for credential wasn't setup properly. I only had DriveScopes.DRIVE_METADATA set which was not enough for downloading files. Once I added DriveScopes.DRIVE_FILE, DriveScopes.DRIVE, and DriveScopes.DRIVE_APPDATA, I was able to download the file without any problem. Hope this helps.
P.S. if you are changing credentials, you have to delete the previously saved credential file.
Based on the Official Google Documentation you received '403: The user has not granted the app' because the request is not on the ACL for the file. The user never explicitly opened the file with this Drive app.
It is highly recommended to use Google Open Picker and prompt the user to open the file or direct the user to Drive to open the file with the app.
My app uses the Drive rest API and the Drive Realtime API in combination. We set the file's permissions so that the public has view access, and then emailed a link to it to a few thousand customers.
The file's permissions are set so that the public has view access, but:
When a user tries to open the realtime document, we get Drive Realtime API Error: not_found: File not found.
When a user tries to copy the non-realtime file, we get The authenticated user has not granted the app 689742286244 write access to the file 0B-NHh5QARZiUUFctN0Zjc3RKdWs (of course we are not asking to write
You can see the effects for yourself at https://peardeck.com/editor/0B-NHh5QARZiUUFctN0Zjc3RKdWs , and our embarrassing attempts to cover for the errors.
Interesting notes:
Sharing the file directly with a particular google account seems to lift the curse, and then that google account can find the file like normal. No extra permissions, just an explicit reference to a google account.
Setting the file so that the public has full write access seems to have no effect
Other files with the exact same settings in the exact same Drive folder can be opened successfully (but presumably have not been opened by so many people in the past). This makes me think there is some broken state within Google.
How can I avoid this? What's going on?(!?!?) Thanks for any help!
The realtime API does not support anonymous access. All users must have a Google account and be explicitly authorized to view or write to the file.