I am building a DotNetNuke 5.6 Module. The module contains a form with some textboxes and the dotNetNuke Rich text Editor.
Users are supposed to fill this form and it is saved to the database.
Everything is working just fine.
The problem though is that users can use it to upload images or documents to the server if they select to add a link.
The problem here is : Users will upload documents to the portal root which will make them visible to other users. We do not want this to happen as each user's documents are private and should not be visible by other users.
The question is:
Can I restrict users to upload documents to a specific folder visible only to that user? this is to prevent different users from seeing each other's private documents?
OR
Can I restrict users from uploading documents altogether?
Thanks
Folder security settings are found in the Admin - File manager. Write permissions control upload:
Allowable File Extensions are in the Host Settings - Other Settings. This is a global security feature, and does not include common media file extensions by default:
In addition, different HtmlEditorProviders do have folder and upload settings in their configuration. HtmlEditorProviders are configured with provider-specific web.config properties and configuration files that are found under /Providers/HtmlEditorProviders.
Telerik provider has ImageManager.ViewPaths, ImageManager.UploadPaths and ImageManager.DeletePaths properties, and also maximum upload sizes for different file extension groups (image, media, document, flash, silverlight, template ). Cute Editor has some support for role-based default upload directories, but I couldn't find these in the Telerik provider.
See also:
How to Upload Restricted File Types in DotNetNuke
Related
I want to confirm my uploaded manifest and the office-id it contains, but when I've signed in to seller dashboard it only gives me the option to delete it. Is there any way where I can see the contents of my current manifest?
You can download your manifest from Mcirosoft AppSource via this URL
https://store.office.com/app/download?assetid=WAXXXXXXXXX&cmu=en-US
Replace WAXXXXXXXXX with the asset ID of your add-in (visibile in the AppSource URL if you don't know it) and en-US with your add-in default language if different.
With DotNetNuke, I discovered the option to use secure folders. How can we keep the full URL of a file within a given security folder normal? (i.e. without the token process attached to the URL and displaying the full path to the folder).
There are a number of reasons why I would need the path/name of a file readable to it's original location. Yes I want the folder to be only accessible to members privileged to that location, but not at the expense of changing the path / file name with a token.
So regardless if you are logged in or not, you should notice the existance of
http://dnnsite.com/my-secure-folder/my-file.pdf
If you are logged out, then an action occurs saying you are not permitted to view this file.
If you are logged in, then you have full view access to this URL
Thanks
It would not be secure then. To access a file in the way your url is formed, you have to use a "normal" folder, but you cannot achieve your goal to restrict access.
To explain: Files that are uploaded to a secure folder get an extra extension (".resources") to their original file name. Files with this extension will not be delivered by IIS (at least not in the default settings), and DNN provides a file handler ("LinkClick.aspx") that delivers the file with this extension, and also ensures that the user who tries to access the file hat the required permissions in the secure folder.
What you can do on your site is something like a link in an HTML module that is available to everyone, but uses the file handler to access the file, and the folder is restriced to a specific role (http://dnnsite.com/my-secure-folder/my-file.pdf). This leads to the login screen when a user is not logged in.
I have a table with in it documents with their filelocation ie url. What can I use /do to open this document in the browser ? Or when this is an ms office file in word or excel?
A quickwin but probably expensive solution is to upload or your files to googledrive by API (https://developers.google.com/drive/v2/reference/) with restrictive permissions (a unique authkey per file) then you iframe the google drive's url in your webapp.
This is expensive as if you have many users/files, you'll need more space on google drive.
If your users are signed in using google, then it's better for security as instead of an authkey you can handle permissions by email.
Otherwise, you can use some javascript word/excel editor like http://webodf.org/.
Hope it helps!
Younes for Wishtack.com
I'm trying to figure out how to store user settings.
A User goes to Settings. There are lists of services and categories etc and the user selects which of them he/she wants to use. These lists are loaded from .xml files and have a simple structure, ie ServiceName + true/false (selected/not selected). But through the lifetime of the application there will be added another lists so there can be something about 50 .xml files or more.
Is IsolatedStorageSettings everything I need or it is only for application settings and preferences and not for custom user settings?
You can use Application Settings stored in Isolated Storage but for what you're trying to do you might want to look at something like SterlingDB. SterlingDB is simple and it's easy to get up and running. It also uses Isolated Storage.
on my website i have two types of files that end users can download - one of them are available for all visitors, and second is only for registered users (users that are logged in).
setting of drupal allows to set only if files are available for all users or only for users that are logged in.
how can i achieve that some files are public and some not?
thank you in advance!
Assumption: you're using Drupal 6.
If you're using the upload module to attach files to your nodes: consider using http://drupal.org/project/private_upload
If you don't mind creating manual links to the files in your Node bodies (and uploading the files yourself to the private folder) consider http://drupal.org/project/private_download
If you're using filefields consider using http://drupal.org/project/filefield_private
Some up these modules have hardly an uptake (click on the usage statistics link on each of the above links I've shared with you).
Unfortunately mixing private and public downloads is a known area of weakness for Drupal 6. Drupal 7 has fixed this.