Jump to content

How to stop User 1 viewing User 2's files ?

david_navigator

By david_navigator
in General

 Share

Recommended Posts

david_navigator Active Member

david_navigator

Posted
Posted

If I understand correctly, with UniGUI all files that need to be served to any user go in a common 

/files/

folder.

So how do I stop User 1 from viewing User 2's files (I'm using the UniPDF viewer).

For example, if I generate a pdf for User 1 with a copy of their invoice (user1_invoice.pdf), how do I stop User 2 just making a guess and typing in https://www.mydomain.com/files/user1_invoice.pdf in an attempt to find a copy of user 1's invoice. I can obviously use a random name for the pdf, maybe using a GUID e.g user1_B12CBDDD-A333-4ADA-888D-DAF0A1894D40_invoice.pdf but it doesn't feel like it's the correct (and secure) way to do this.

Any suggestions please (I need to display the pdf in the UniPDF control, not I can't just download on client machine) ?

Thanks

David

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted
16 minutes ago, david_navigator said:

If I understand correctly, with UniGUI all files that need to be served to any user go in a common 




/files/

folder.

So how do I stop User 1 from viewing User 2's files (I'm using the UniPDF viewer).

For example, if I generate a pdf for User 1 with a copy of their invoice (user1_invoice.pdf), how do I stop User 2 just making a guess and typing in https://www.mydomain.com/files/user1_invoice.pdf in an attempt to find a copy of user 1's invoice. I can obviously use a random name for the pdf, maybe using a GUID e.g user1_B12CBDDD-A333-4ADA-888D-DAF0A1894D40_invoice.pdf but it doesn't feel like it's the correct (and secure) way to do this.

Any suggestions please (I need to display the pdf in the UniPDF control, not I can't just download on client machine) ?

Thanks

David

Hello, if I can offer you:

Connect a user to a user session so that only the user opens that session to see the pdf.

Something like:

1. Create a pdf named usersession_pdfName.pdf

2. When viewing the url, make sure the user session is the same as the pdf name

 

Or even cookie for user pdf creation procedure.

1 The user starts to create a pdf, before starting the procedure, create a temporary cookie
2. the user opens the pdf, but before opening the pdf check the cookie

Link to comment
Share on other sites
david_navigator Active Member

david_navigator

Posted
  • Author
Posted
7 minutes ago, irigsoft said:

Hello, if I can offer you:

Connect a user to a user session so that only the user opens that session to see the pdf.

Something like:

1. Create a pdf named usersession_pdfName.pdf

2. When viewing the url, make sure the user session is the same as the pdf name

But that won't stop user 2 simply typing https://www.mydomain.com/files/user1_invoice.pdf directly in to their browser and viewing the file without my app being involved.

Link to comment
Share on other sites
Sherzod Advanced Member

Sherzod

Posted
Posted
11 minutes ago, irigsoft said:

Something like:

1. Create a pdf named usersession_pdfName.pdf

2. When viewing the url, make sure the user session is the same as the pdf name

What if the user login again? 

It is better for the user to create a unique folder that is stored in the DB.

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted
16 minutes ago, Sherzod said:

What if the user login again? 

It is better for the user to create a unique folder that is stored in the DB.

I am using a temporary folder for my application and in this folder I have different files from different users, if all the links can get these files by url, for me this is a security issue.

if user2 can read from this directory, I need to do a server procedure (or mainmodule) that checks if this user has the right to download / open this file, one of my solutions will be my suggestion. When user2 tries to download a file created by user1 in the \ files \ directory, the session manager (or server) must check and block it.

How to do it?

 

"It is better for the user to create a unique folder that is stored in the DB."

How to create directory in DB ?

This pdf files maybe are temporary

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted
21 minutes ago, david_navigator said:

But that won't stop user 2 simply typing https://www.mydomain.com/files/user1_invoice.pdf directly in to their browser and viewing the file without my app being involved.

I'm not sure.

If user2 tries to access the pdf file, the session must be opened and the access verification procedure must be performed when the session is opened.

I'm using a different folder and trying to get a file from this directory and I can't.

Maybe that's the solution

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted

Sherzod,

What is the best practice if I have different users and they all need to receive only their own files.

A simple example:

I have Stand Alone application

My app allows users to watch video files. All of these videos are paid.

If I have 3 users and user1 has paid for Video1, user2 has paid for video2 and user3 has paid for video3.

If everyone can download video1 (2 or 3) from one directory (\ files) by url, that means that all user can download all these 3 video files without paying, right?

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted

david_navigator,

You can apply something simple, when user1 starts to create (or open) pdf, need to add in url own code like "/? F = UjSdR100O" this code is generated for the user when opening the session,

so when user2 trying to access the file by url, it must use the same code to get to user1's files.

 

url will be: https://www.mydomain.com/files/user1_invoice.pdf&F = UjSdR100O , and download file procedure will check the f - code

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted

URL: https://youdmain.com:8077/files/user1file.pdf

this block url to get files from other directories.

if You try to open something like https://youdmain.com:8077/systemdir1/user1file.pdf, You will get error 405

 

procedure TUniServerModule.UniGUIServerModuleHTTPCommand

begin

//check if is new session
if (ARequestInfo.URI <> '/')
and (ARequestInfo.Referer ='')
then begin
  if (POS (ARequestInfo.Host + '/files/',ARequestInfo.Host + ARequestInfo.URI) = 0)
  then begin
      Handled := false;
      AResponseInfo.ResponseNo:=405;
      AResponseInfo.CloseConnection:=true;
      //AResponseInfo.ContentText := '<h1>Access denied</h1>';
      Handled := true;
      AResponseInfo.ResponseNo:=405;

      //save log
      SaveHTMLLog ('NONE ACCEPTABLE COMMAND'
            + #9 + 'IP: ' + ARequestInfo.RemoteIP
            + #9 + 'URI: ' + ARequestInfo.URI
            + #9 + 'COMMAND: ' + ARequestInfo.Command
            + #9 + 'ROW COMMAND: ' + ARequestInfo.RawHTTPCommand
            + #9 + ARequestInfo.RawHeaders.Text
            + #9 + ARequestInfo.Document
      );
      AResponseInfo.CloseConnection := true;
      AResponseInfo.CloseSession;
       exit;
  end;
end;

 

end;

Link to comment
Share on other sites
mhmda Advanced Member

mhmda

Posted
Posted

Hi,

We don't expose important files and .fr3 (fastreport) to the web, we keep them in folder that doesn't exist in the 'root' of ServerModule and for generating report we create a temp. file for current user using the helper function of the Unigui: 

ExportFileName := ServerModule.NewCacheFileUrl(False, ExportType, '', '', AUrl, True);

This will create a random file with a specific extension then we forward this to FastReport: 

frxPDFExport.FileName       := ExportFileName;//<--- url for the temp file

 

And for displaying the report to the end user you just use the AUrl.

 

Also all attached files that been uploaded by the user are saved the same way in a folder that isn't exposed to the web and when needed we use the same technique above (yes another copy of the same file, and we keep the source file safe).

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted

Just add this check for User1 sessionId.

1. Create Directory of user1 : /files/sessionID when User1's session start

2. Generate PDF files of User1 and save them in /files/sessionID

3 Add In function check by sessionID like that

if (POS (ARequestInfo.Host + '/files/' + uniSession.SessionId + '/',ARequestInfo.Host + ARequestInfo.URI) = 0) then .....

 

when User2 try to get files of User1, then function will check sessionID and block User2 to get files of User1.
  

 

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted
7 minutes ago, mhmda said:

Hi,

We don't expose important files and .fr3 (fastreport) to the web, we keep them in folder that doesn't exist in the 'root' of ServerModule and for generating report we create a temp. file for current user using the helper function of the Unigui: 





ExportFileName := ServerModule.NewCacheFileUrl(False, ExportType, '', '', AUrl, True);

This will create a random file with a specific extension then we forward this to FastReport: 





frxPDFExport.FileName       := ExportFileName;//<--- url for the temp file

 

And for displaying the report to the end user you just use the AUrl.

 

Also all attached files that been uploaded by the user are saved the same way in a folder that isn't exposed to the web and when needed we use the same technique above (yes another copy of the same file, and we keep the source file safe).

Hi, how protect system directories.

I try to get files from system directories and dont have problems with that.

I know what is dirName, what are files in dir and just type URL and get them, no problem

How You protect All system directories in Stand Alone application ?

 

At this point If User2 enters the URL of ExportFileName, then User2 will receive the file?

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted
Just now, mhmda said:

image.png.654ea10b477cf3b343aca3d1cf28d05b.png

From the web you can access this folder: "root\files" and sub-folders, If you put you important files in other folders:

If serverRoot is empty then the exposed folder is "files"

"root" and "files" are directories where you put you .exe file.

image.png.1bb200ddf0f678c566d23704f623cc8f.png

Dir "systemfiles" can't be accessed from the web !!

image.png

Thanks.

Can You tell me for this: At this point If User2 enters the URL of ExportFileName, then User2 will receive the file?

Link to comment
Share on other sites
mhmda Advanced Member

mhmda

Posted
Posted
Just now, irigsoft said:

I use my own directories for system files, and they are in root directory (where MyApplication.exe is),

Is that error ?

If system files exists in a folder under 'root' then this is not good 🙂 you have to move them out of this directory.

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted

The problem is that User2 receives a file from User1

In my example:

1. I have 3 users and they pay to receive Video1, Video2, Video3 files

2. If I send url1 to user1 to video1, so user2 and user3 will not pay for this file, the url is the same

How to protect Video1 to download user2 and user3 without paying

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...