+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Secure pages and documents

Secure pages and documents

5 posts, 0 answered
  1. ming
    ming avatar
    8 posts
    Registered:
    26 Dec 2008
    01 Mar 2013
    Link to this post

    I need to protect documents in my Sitefinity 5.0.1 site.

    If the user has not authenticated, then it cannot simply download the documents.

    I found a similar post, and solution in the following forum post, but it's for Sitefinity 3.7 only. 

    I needed for 5.01....thanks, Ming

    http://www.sitefinity.com/developer-network/forums/general-discussions/secure-pages-and-documents 

  2. ming
    ming avatar
    8 posts
    Registered:
    26 Dec 2008
    04 Mar 2013 in reply to ming
    Link to this post

    Hello, anyone here??

    The previous article talked about adding code to pipeline ContentHttpHandler, but this handler is only in 3.7.

    There is no such handler in 5.0.1, and the closest httpHander that I can see looks like :

    <add verb="*" path="Telerik.Sitefinity.FilesDownloadHandler.ashx" type="Telerik.Sitefinity.Modules.Files.FilesDownloadHandler,
    Telerik.Sitefinity" />

    However, I cannot find such FilesDownloadHandler.ashx either....Anyone?

             Thanks, Ming

  3. Svetla
    Svetla avatar
    36 posts
    Registered:
    07 Sep 2015
    04 Mar 2013
    Link to this post
    Hi Ming,

    This is handled by default/ The documents themselves have permissions around them. This means that you can state globally that you only want authenticated users to be able to view a document. 

    Go to Documents and Files and on the right hand side you will see permissions. There you can set the global permissions on documents. By default all documents and libraries inherit those global permissions but you can break this inheritance and have individual permissions per documents or per libraries which allows you to get very granular. Here is a video of how you set the global permissions and then break the inheritance for a single document and here is the documentation on the topic as well.


    Sitefinity by default has an HTTP handler that looks at the permissions for documents. Document listings will not display documents that we are not allowed to view and on top of this If anybody who is not allowed to view the document tries to access it via direct link, the HTTP handler takes care of this and returns a 403 'unauthorized request'

    I hope this information helps!

     

    All the best,
    Svetla
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  4. ming
    ming avatar
    8 posts
    Registered:
    26 Dec 2008
    05 Mar 2013 in reply to Svetla
    Link to this post

    Hi Svetla,

        Thanks for the reply, and it's helpful to know about the built in security around the Sitefinity documents.  However, in our case, we actually don't have logged in user; instead, we are employing eloqua's gated forms; therefore, whether the user can download any documents is actually by checking against the eloqua's cookie.  So, we are still interested in having the pipeline solution, like the previous article in Sitefinity 3.7.  And in this pipeline, we will have to disallow document download if the eloqa cookie is not there.

        Thanks, Ming

  5. Svetla
    Svetla avatar
    36 posts
    Registered:
    07 Sep 2015
    07 Mar 2013
    Link to this post
    Hi Ming,

     This is handled in the LibraryHTTPHandler. There are a couple of  extension points here. The entire logic is in the LibraryHTTPHandler.ProcessRequest method where exxentially we look at the request for a document and we perform the following:

    Raise a downloading event before the response. The event is of type IMediaContentDownloadingEvent(docs) and also raises a Downloaded event once the request is sent. In your case you can hook to the DownloadingEvent.

    Side Note: There is another extension point that has to do with forum attachment and downloadable goods. The HTTP handler for documents asks if a download is allowed through a class implementing IDownloadSecurityProvider that only has one method called IsAllowed which basically returns a bool. For example if a user is trying to access a downlaodable product and hasn't purchased it it fires off and returns a false. This probalby doesn't apply much for your case but just for reference of others here is how you can hook to those and insert logic for restricting digital downloads purchased for Ecommerce. You would register this as such in global.asax.

    ObjectFactory.Container.RegisterType(typeof(IDownloadSecurityProvider), typeof(DownloadableGoodsCustomSecurityProvider),
                        DownloadableGoodsCustomSecurityProvider.SecurityProviderName, new ContainerControlledLifetimeManager(),
                        new InjectionConstructor());


    Hope this helps!

    Regards,
    Svetla
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
5 posts, 0 answered