Forums (Obsolete)

Portal Engine Questions on portal engine and web parts.

Version 7.x > Portal Engine > Protecting a file from download without using permissions based on kentico user/roles

View modes:

Member

Member

matt-awg - 5/12/2013 8:16:53 PM

Protecting a file from download without using permissions based on kentico user/roles

Hello All,

I am looking to protect a file (inserted directly into the content tree, not a media library, etc.) from being directly downloaded via a link BUT I cannot use Kentico users/roles since this website does not have user accounts for the non-administrative portion of the website.

Basically, once a lead generation form is submitted, I want the person that submitted the form to have access to download a file. If they stored the link and sent it to someone else, it should NOT allow that person to download the file. All the searching I have done on securing documents always leads me back to users and roles and permissions. Is there anyway to do this with built in document permissions, macros, something? I was thinking I could set a cookie when the form is submitted successfully. Is there a way to check if a cookie has a certain value on a document and then deny access to that document if it does not? I am sure I could do something with custom coding with CMSRequestEvents but I was hoping to make this more flexible and controlled via the CMSDesk and not hard coded per document in some custom c# file. Any ideas?

Thanks,
Matt

Kentico Legend

Kentico Legend

Brenden Kehren - 5/13/2013 7:15:34 AM

RE:Protecting a file from download without using permissions based on kentico user/roles

Sounds pretty rudimentary but what about creating a webpart that has this input form and stores the data in a custom table. The form would take what you require as well as their client IP address. You could then check if the name, IP and email combination are the same when they come back to download it. The bad part is the client IP can change.

You could also store the form data and send them an email with a link in it that has a GUID that when clicked takes them to another page that checks the GUID and the file they wanted and "authorizes" it and lets them download it. Again you'd need to have that one other unique part in order to not allow them to forward the email to anyone else. Maybe mark a field as downloaded after they have been authorized.

Member

Member

matt-awg - 5/13/2013 8:13:15 AM

RE:Protecting a file from download without using permissions based on kentico user/roles

Hi FroggEye,

This is a complicated custom biz form that does already set this cookie that I was talking about. I just need to know how I can check the cookie on the user clicking a link to a document. When you said this:

You could then check if the name, IP and email combination are the same when they come back to download it.

How would you go about checking this? I can just swap that out for checking the cookie but when it is a pdf or image uploaded as a document in the tree, where would I put the code to check the cookie? I can't find a way to put a macro or something on this type of document. Are you saying to create separate page that does this checking and then redirects them to the file? if so, it is the same problem where someone can send the final link they land on to someone and then they can download the file.

If this was not a kentico project I could do this easily and have done so on many projects. I would put the files in a non web accessible folder and serve the binary content directly to the user (as a download) from a page that checked their credentials (the cookie in this case). Is there a way to output the file somehow directly to the browser from this intermediate page and make the file itself protected with permissions so it could not be accessed directly?

Or maybe impersonate a generic user that has permissions to the file somehow once they submit the form? But I don't want them logged in as a user really. I feel like I am over complicating this and that there must be some built in kentico function for this that I am just missing.

Thanks,
Matt

Kentico Legend

Kentico Legend

Brenden Kehren - 5/13/2013 11:43:12 AM

RE:Protecting a file from download without using permissions based on kentico user/roles

matt-awg wrote:
You could then check if the name, IP and email combination are the same when they come back to download it.

How would you go about checking this? I can just swap that out for checking the cookie but when it is a pdf or image uploaded as a document in the tree, where would I put the code to check the cookie? I can't find a way to put a macro or something on this type of document. Are you saying to create separate page that does this checking and then redirects them to the file? if so, it is the same problem where someone can send the final link they land on to someone and then they can download the file.

You could still use your cookie if you'd like, I was thinking of a more robust database driven solution because of the weird cookie laws going into effect. The combination of whatever you want to validate can be done on any page by whatever webpart or simple custom code you setup. The key is to lock the content/PDF down so no one can download it unless they are authorized. When they have been authorized based on your valiation rules use/create a temporary user account and grant that account access to download the file.

So what you're doing is creating or using a temporary user account and assigning a role that has access to that content, then removing the user and/or role after they have successsfully performed their actions. You might need several users based on how many people might be accessing the content at once.

Member

Member

matt-awg - 5/18/2013 12:38:01 PM

RE:Protecting a file from download without using permissions based on kentico user/roles

Thanks for the ideas FroggEye. What I ended up doing was creating my own custom aspx page that you pass in a "download ID" and it checks if you have the cookie set and if so, it looks up the ID, gets the file path (it is stored in a non web accessible directory) and then it gets the binary data and writes it out to the browser directly. It seems to be working as I needed. When the user fills out the required for correctly, I set the cookie and output the link to the custom page mentioned above.

Thanks,
Matt


Kentico Legend	Brenden Kehren - 5/19/2013 8:03:21 PM RE:Protecting a file from download without using permissions based on kentico user/roles So do the users have a given time that this link is available? Just something to think about, cookies work although if the user chooses to delete the history and clear the cookies then their chance at downloading is gone.

Member

Member

matt-awg - 5/20/2013 9:21:53 AM

RE:Protecting a file from download without using permissions based on kentico user/roles

The user really only should have access to the file immediately after filling out the form but the cookie will let them try again if they have a problem downloading it or something. The user will not be expecting to be able to go back a few days later and download the file again. This is the way it is intended to function so it should be fine. thanks!

Top