mhmda Posted March 22, 2021 Share Posted March 22, 2021 Just now, irigsoft said: If I change Server root: root to mynewroot, what problems can wait ? Then just copy your files (images, css, js...) to the new path: mynewroot\files\..... After changing and when you use for example a url for image: 'files/images/copy.png' the server will search for the image inside the new path: mynewroot\files\images\copy.png You don't need to change anything in your code just copy needed files (folders) to the new root: mynewroot folder 🙂 1 Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 1 minute ago, irigsoft said: The problem is that User2 receives a file from User1 In my example: 1. I have 3 users and they pay to receive Video1, Video2, Video3 files 2. If I send url1 to user1 to video1, so user2 and user3 will not pay for this file, the url is the same How to protect Video1 to download user2 and user3 without paying Then you have know the session id for the right user if a user with no rights to access this video then block the request. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 1 minute ago, mhmda said: Then just copy your files (images, css, js...) to the new path: mynewroot\files\..... After changing and when you use for example a url for image: 'files/images/copy.png' the server will search for the image inside the new path: mynewroot\files\images\copy.png You don't need to change anything in your code just copy needed files (folders) to the new root: mynewroot folder 🙂 Thanks, I see that the root of my server is empty, is this a security issue? Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 We use a record for the current user which also includes the sessions id then it will be easy to know if the currend user has the right to view/download the video or any other file. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 1 minute ago, mhmda said: Then you have know the session id for the right user if a user with no rights to access this video then block the request. Yes, and I propose that. Do You have some unigui technic for that ? Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 Just now, irigsoft said: Thanks, I see that the root of my server is empty, is this a security issue? No, means that the exposed folder is the value of the "FilesFolder". Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 9 minutes ago, mhmda said: No, means that the exposed folder is the value of the "FilesFolder". It's ok. I wrote a function in server.UniGUIServerModuleHTTPCommand to catch if sessionId is correct for User1 and explained what I was doing. I think it's a good solution, what do you think? Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 I just answered you question "I see that the root of my server is empty, is this a security issue?" with 'No'.... Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 Just now, mhmda said: I just answered you question "I see that the root of my server is empty, is this a security issue?" with 'No'.... I am sorry, error in my english.  "I wrote a function in server.UniGUIServerModuleHTTPCommand to catch if sessionId is correct for User1 and explained what I was doing. I think it's a good solution, what do you think?" Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 hhhhhhh, you are doing just fine 🙂 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 Just now, mhmda said: hhhhhhh, you are doing just fine 🙂 thanks. I hope, we together will help on david Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 Sure Quote Link to comment Share on other sites More sharing options...
david_navigator Posted March 22, 2021 Author Share Posted March 22, 2021 1 hour ago, mhmda said: Beside that didn't you think about digitally sign your pdf files as we did and this way no one can edit your pdf files. I'm not bothered about them being edited, I just want to make sure that User1 can't view files aimed for User2. Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 For sensitive files: Rec., Invoice, TXI... this is very important. Quote Link to comment Share on other sites More sharing options...
david_navigator Posted March 22, 2021 Author Share Posted March 22, 2021 7 minutes ago, mhmda said: For sensitive files: Rec., Invoice, TXI... this is very important. Absolutely, but my PDF's are being generated on a different system and just available to view in my UniGUI app.  Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 23, 2021 Share Posted March 23, 2021 7 hours ago, david_navigator said: Absolutely, but my PDF's are being generated on a different system and just available to view in my UniGUI app.  Hi, I give you a way to make security about that in the unigui app. Have you tried? Quote Link to comment Share on other sites More sharing options...
david_navigator Posted March 23, 2021 Author Share Posted March 23, 2021 @irigsoft Quote if (POS (ARequestInfo.Host + '/files/' + uniSession.SessionId + '/',ARequestInfo.Host + ARequestInfo.URI) = 0) then ..... Where are you putting this, in UniGUIServerModuleHTTPCommand ? I just get an AV from uniSession.SessionId Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 23, 2021 Share Posted March 23, 2021 1 hour ago, david_navigator said: @irigsoft Where are you putting this, in UniGUIServerModuleHTTPCommand ? I just get an AV from uniSession.SessionId My mistake, when referrer is empty, no session opened. unisession.sessionID is not enabled befor create session,  please try this:  var IsEnabledDir : Boolean;   procedure TUniServerModule.UniGUIServerModuleHTTPCommand begin    IsEnabledDir := True; //check if is new session if (ARequestInfo.URI <> '/') and (ARequestInfo.Referer ='') then begin //check if to try to get files dir  if (POS (ARequestInfo.Host + '/files/',ARequestInfo.Host + ARequestInfo.URI) = 0)  then begin    IsEnabledDir := False;    Handled := false;    AResponseInfo.ResponseNo:=405;    AResponseInfo.CloseConnection:=true;    //AResponseInfo.ContentText := '<h1>Access denied</h1>';    Handled := true;    AResponseInfo.ResponseNo:=405;    //save log    SaveHTMLLog ('NONE ACCEPTABLE COMMAND'       + #9 + 'IP: ' + ARequestInfo.RemoteIP       + #9 + 'URI: ' + ARequestInfo.URI       + #9 + 'COMMAND: ' + ARequestInfo.Command       + #9 + 'ROW COMMAND: ' + ARequestInfo.RawHTTPCommand       + #9 + ARequestInfo.RawHeaders.Text       + #9 + ARequestInfo.Document    );    AResponseInfo.CloseConnection := true;    AResponseInfo.CloseSession;     exit;  end;   If  IsEnabledDir  //if directory is enabled and uniSession <> nil then begin //and (ARequestInfo.Cookies.Cookie ('UNI_GUI_SESSION_ID').CookieText <> '') //if session was created IF (POS (ARequestInfo.Host + '/files/' + uniSession.SessionId + '/',ARequestInfo.Host + ARequestInfo.URI) = 0) then begin //if ask file from user1 sessionid directory    Handled := false;    AResponseInfo.ResponseNo:=405;    AResponseInfo.CloseConnection:=true;    //AResponseInfo.ContentText := '<h1>Access denied</h1>';    Handled := true;    AResponseInfo.ResponseNo:=405;    //save log    SaveHTMLLog ('NONE ACCEPTABLE COMMAND'       + #9 + 'IP: ' + ARequestInfo.RemoteIP       + #9 + 'URI: ' + ARequestInfo.URI       + #9 + 'COMMAND: ' + ARequestInfo.Command       + #9 + 'ROW COMMAND: ' + ARequestInfo.RawHTTPCommand       + #9 + ARequestInfo.RawHeaders.Text       + #9 + ARequestInfo.Document    );    AResponseInfo.CloseConnection := true;    AResponseInfo.CloseSession;     exit; end; end;  end;    Quote Link to comment Share on other sites More sharing options...
david_navigator Posted March 23, 2021 Author Share Posted March 23, 2021 (edited) 1 hour ago, irigsoft said:  and uniSession <> nil   uniSession is always nil during my tests, so the code never runs Edited March 23, 2021 by david_navigator Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 23, 2021 Share Posted March 23, 2021 47 minutes ago, david_navigator said: Delphi won't compile  [dcc32 Error] ServerModule.pas(88): E2029 '[' expected but '(' found  Replace with this: ARequestInfo.Cookies.Cookies[ARequestInfo.Cookies.GetCookieIndex('UNI_GUI_SESSION_ID')].Value Quote Link to comment Share on other sites More sharing options...
david_navigator Posted March 23, 2021 Author Share Posted March 23, 2021 24 minutes ago, irigsoft said: Replace with this: ARequestInfo.Cookies.Cookies[ARequestInfo.Cookies.GetCookieIndex('UNI_GUI_SESSION_ID')].Value That gives me an invalid class typecast at runtime. Maybe @Sherzod can tell us how to get the user's session ID from within TUniServerModule.UniGUIServerModuleHTTPCommand ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 23, 2021 Share Posted March 23, 2021 14 minutes ago, david_navigator said: That gives me an invalid class typecast at runtime. Maybe @Sherzod can tell us how to get the user's session ID from within TUniServerModule.UniGUIServerModuleHTTPCommand ? Maybe. My concept is this: 1. Check If new request is maded ? - if (ARequestInfo.URI <> '/') and (ARequestInfo.Referer ='') 2. If Yes, check if ask to get forbiden folders. - if (POS (ARequestInfo.Host + '/files/',ARequestInfo.Host + ARequestInfo.URI) = 0) 3. If forder not forbiden, then check if user ask from own session 4. In point 3 must get if session is opened, there for is check with 3 point:   - If  IsEnabledDir   - result from first check   - and uniSession <> nil - result of session is created   - and (ARequestInfo.Cookies.Cookies[ARequestInfo.Cookies.GetCookieIndex('UNI_GUI_SESSION_ID')].Value <> '')  //if session was created , there is not empty   - (POS (ARequestInfo.Host + '/files/' + uniSession.SessionId + '/',ARequestInfo.Host + ARequestInfo.URI) = 0) then begin  //after all you will check if user and session are the same   I dont know how You try this example. I test by 2 ways: 1. Try to get normal session, and all checks in my procedure are ignored   on first check , this ignore CloseSession : if (POS (ARequestInfo.Host + '/files/',ARequestInfo.Host + ARequestInfo.URI) = 0) , there no ''/files/" url on second check after IsEnabledDir =true, then ARequestInfo.Cookies.Cookies[ARequestInfo.Cookies.GetCookieIndex('UNI_GUI_SESSION_ID')].Value <> '' is ignored, because session is created. That make me to think, that will work 2 Try to get forbiden folder, and first check showmessage with ARequestInfo.Cookies.Cookies[ARequestInfo.Cookies.GetCookieIndex('UNI_GUI_SESSION_ID')].Value  Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 29, 2021 Share Posted July 29, 2021 Hello, I found solution for me:Â Â Â Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.