Attach a document to a page / security

Olivier Cozette asked on July 7, 2015 20:58

When attaching a document to a page, and then securing that page, what is the "Kentico" expected behaviour to this attachment ?

a) Because the page is secured, the document is also secured ?

b) If I know or guess the direct link, I can acces the attachment ?

Ex:

root
page A (Insecured)
    Attachment to page A
Page B (Secured)
    Attachment to page B (like: "/files/66/66701710-dd57-4426-a5c6-2b3cd058af67.pdf")

So if I go to "http://mysite.org/Page B", Kentico answers with a login page but If I go to the attachment directly, like "http://mysite.org/files/66/66701710-dd57-4426-a5c6-2b3cd058af67.pdf" kentico gives me the PDF...

So, if the answer is B, is there any way to prevent the files to be shown without permission ? (and the option to check files security is enabled...) Thanks !

Correct Answer

Roman Hutnyk answered on July 7, 2015 21:11

Answer is A.

But the link you in your example http://mysite.org/files/66/66701710-dd57-4426-a5c6-2b3cd058af67.pdf is a direct link to the file in the file system, so Kentico does not process it. It should look like http://mysite.org/CMSPages/getAttachment/66701710-dd57-4426-a5c6-2b3cd058af67..... something like this to perform all security checks.

So I can see 2 solutions for your problem: 1)generate/supply links in different way (it still does not secure http://mysite.org/files/66/66701710-dd57-4426-a5c6-2b3cd058af67.pdf)

2)apply security to the files folder through web.config file

Thanks!

0 votesVote for this answer Unmark Correct answer

Recent Answers

Olivier Cozette answered on July 8, 2015 15:31

Thanks Roman, it is working as you suggest. The only drawback is, once the document es evaluated by kentico, it stills generates the direct link on the URL, so mi link is

<a target="_blank" href="~/getattachment/<%#  (Eval("AttachmentGUID")) %>/<%#  Eval("NodeAlias") %>.aspx">
<%# Eval("AttachmentName",true) %>

wich generates the following link: 

<a target="_blank" href="/getattachment/66701710-dd57-4426-a5c6-2b3cd058af67/MyFile.aspx">
MyFile.pdf
</a>

But once I click this link, the url again shows :

http://shsjdevweb15:8025/CORPO/files/66/66701710-dd57-4426-a5c6-2b3cd058af67.pdf

And then you have the direct link again !

Is it possible to keep the generated URL without being converted to the direct path ?

Thanks !

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.