Portal Engine Questions on portal engine and web parts.
Version 5.x > Portal Engine > getfileurl document security View modes: 
User avatar
Member
Member
wade.cormie-gmail - 4/8/2011 4:30:25 AM
   
getfileurl document security
I'm currently developing a site in kentico 5.5, and one of the requirements is to create a list of resources (documents and files). Each resource can have a security requirement where the user needs to enter a clientid, which is checked against a non kentico table, and granted or denied access accordingly.

I'm listing the resources on a page in a repeater. For simple documents, I'm using pagemethods to check if the resource requires a clientid for verification. If so, it unhides a div, containing a clientid field and a submit button. When the user hits submit, it checks against the database, and if valid, sets it to a session variable, and redirects to the resource, which then does it's own check for the clientid session (in case someone manually types in the address), and then allows access.

The problem exists when the resource is a file, i.e. a word document, pdf, etc...

My initial check works, and it won't redirect if they don't have a valid client ID. However if you just check the source and copy result of getfileurl and paste into the browser, it opens the file.

How can I add the same security check to the getfileurl page, so that it won't open the file if the clientid doesn't exist in the session variable?

User avatar
Member
Member
kentico_alleng - 4/8/2011 5:14:33 PM
   
RE:getfileurl document security
One way to accomplish this would be to add a check that the clientid exists and is valid in the global.asax.cs file in the App_Code folder.

Add the checks to the Application_BeginRequest handler and if clientid doesn't exist or is incorrect, you could redirect to a custom error page (or however you'd like this situation handled).


Regards,

Allen Greenhaw