Emile, You are correct. If you have authenticated users, you will eventually have to approach how to programmatically change the behavior of your PDF files.
Advice that I can give you would be to avoid a scalable pitfall of assigning users to a particular file. Instead, assign a role to a file and then assign a role to a user. This way, you are not adding 1000 users to one file. You may add 1000 users to a role, but that never changes your implementation of the role associated to a file. Does that make sense? Teddy R. Payne, ACCFD Google Talk - [email protected] On Thu, Dec 18, 2008 at 3:03 PM, shawn gorrell <[email protected]> wrote: > That isn't the function of sandboxes. > > Here is a code sample of my previously described approach. It is primitive, > but solves what you're trying to solve. Whatever directory your asset files > live in should be set to no web access. CF will be able to get the files, > but a web browser could not. > > <cfif not IsDefined("Session.Auth.IsLoggedIn")> > <cfinclude template="../login.cfm"> > <cfabort> > </cfif> > > <cfparam name="url.filename" default="empty.txt"> > <cfset thisPath = ExpandPath("*.*")> > <cfset DirectoryPath = GetDirectoryFromPath(thisPath)> > <cfset filepath = DirectoryPath & "files\"> > <cfset thefile = filepath & url.filename> > <cfset fileext = ListGetAt(url.filename,2,".")> > > <cfswitch expression="#fileext#"> > <cfcase value="xls"> > <cfset mimetype = "application/msexcel"> > </cfcase> > <cfcase value="doc"> > <cfset mimetype = "application/msword"> > </cfcase> > <cfcase value="pdf"> > <cfset mimetype = "application/pdf"> > </cfcase> > <cfcase value="ppt"> > <cfset mimetype = "application/vnd.ms-powerpoint"> > </cfcase> > <cfcase value="pps"> > <cfset mimetype = "application/vnd.ms-powerpoint"> > </cfcase> > <cfcase value="txt"> > <cfset mimetype = "text/plain"> > </cfcase> > <cfdefaultcase> > <cfset mimetype = ""> > </cfdefaultcase> > </cfswitch> > > <cftry> > <cfheader name="Content-disposition" value="inline; > filename=#url.filename#"> > <cfcontent file="#thefile#" type="#mimetype#"> > > <cfcatch> > There was a problem retrieving your file. > </cfcatch> > </cftry> > > ------------------------------ > *From:* Emile Melbourne <[email protected]> > *To:* [email protected] > *Sent:* Thursday, December 18, 2008 2:55:33 PM > *Subject:* Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's > directory > > Thanks guys for all your responces. > > Only users who have logged in/authenticated should be should be authorized > to view these secured pdf files and images. In the future, I imagine > specific pdfs will be viewable to specific authenticated users which I > suppose would be the authorization topic Teddy is getting at. Am I right > about this? > > I'm going to test putting the files meant to be secure outside of the site > root folder and getting it to work that way. > > I've also come accross settings found in the ADOBE COLDFUSION ADMINISTRATOR > meant to let users enable and disable access to specific files and > directories > Security > Resource Security > CHECK "Enable ColdFusion Sandbox > Security" > > Do you guys know if this is also a solution to this particular problem? > > Thanks Again > Emile > > > On Thu, Dec 18, 2008 at 1:43 PM, Teddy R. Payne <[email protected]>wrote: > >> Mischa, >> Yes, but as you can see from Shawn's comment that Shawn was approaching >> the topic from the point of authorization. From the response by Troy, this >> leads to authentication. >> >> So, his usage of diction or use of the word is indeed correct, but not >> everyone interpreted it that way as it still provided some confusion >> regardless. >> >> The solution may very well use both concepts to achieve his desired >> result. >> >> A use that I have witnessed has to deal with Shawn's suggestion of putting >> the files in a non-webroot accessible directory or network source. Then a >> controller mechanism would have to understand how to "serve once" either >> through a mechanism of of being an authenticated user with an authorized >> role of being able to see a document. Or, the the site does not have >> authentication and the mechanism must have a more introspective ability to >> discern a user through their token, IP or whatever. The public approach >> would suggest a tracking process to see if a particular requestor has asked >> for the document before or not. >> >> This also brings up the question, how do you determine who has the >> authorization to request a particular artifact multiple times? >> >> This may be over complicating his initial scope of the application, but >> these are questions that I would ask whenever someone would task me with a >> File serving application on potentially limited released documents. >> >> In any event, I was not criticizing Emile. I was asking for more detail >> before offering generic advice/guidance. >> >> Teddy R. Payne, ACCFD >> Google Talk - [email protected] >> >> >> >> On Thu, Dec 18, 2008 at 1:32 PM, Mischa Uppelschoten ext 10 < >> [email protected]> wrote: >> >>> OP never used the word "authentication". From wikipedia: "authorization >>> is the concept of allowing access to resources only to those permitted to >>> use them." Seems to me he used the term properly. >>> /m >>> >>> >>> >>> : Emile, >>> : From your description, you really need to define what "authorized" >>> and "not >>> : authorized" means. >>> >>> : This will help clarify to the people assisting you as to the approach >>> they can >>> : suggest. >>> >>> : As "authorization" and "authentication" often times are used >>> interchangeably >>> : by developers when in fact they represent two distinctly different >>> topics. >>> >>> : Teddy R. Payne, ACCFD >>> : Google Talk - [email protected] >>> >>> >>> >>> >>> : On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne < >>> [email protected]> >>> : wrote: >>> >>> >>> : Hey Everyone, >>> : >>> : I am currently in the process of building my first secured site. >>> Most pages >>> : of the site will be behind a login page. I'm using ColdFusion's >>> : Application.cfc onRequestStart function to check if a user is logged >>> in or >>> : not. Thats pretty much boiler plate. >>> : >>> : My concern is how to prevent an non authorized user from accessing >>> or >>> : hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt >>> etc). >>> : >>> : Whats the best way to ensure a user can't link directly to these >>> items but >>> : instead be redirected to login.cfm instead? >>> : >>> : Is there a way to lock down an entire directory? >>> : >>> : Thank you for all your help >>> : Emile >>> : >>> >>> : ------------------------------------------------------------- >>> : To unsubscribe from this list, manage your profile @ >>> : >>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >>> : >>> : For more info, see http://www.acfug.org/mailinglists >>> : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> : List hosted by FusionLink <http://www.fusionlink.com> >>> : ------------------------------------------------------------- >>> >>> >>> >>> : ------------------------------------------------------------- >>> : To unsubscribe from this list, manage your profile @ >>> : >>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >>> >>> : For more info, see http://www.acfug.org/mailinglists >>> : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> : List hosted by FusionLink <http://www.fusionlink.com> >>> : ------------------------------------------------------------- >>> >>> >>> >>> >>> >>> >>> ---------- Original Message ---------- >>> >>> FROM: "Teddy R. Payne" <[email protected]> >>> TO: <[email protected]> >>> DATE: Thu, 18 Dec 2008 13:25:15 -0500 >>> >>> SUBJECT: Re: [ACFUG Discuss] Blocking a ColdFusion website's directory >>> >>> Emile, >>> From your description, you really need to define what "authorized" and >>> "not authorized" means. >>> >>> This will help clarify to the people assisting you as to the approach >>> they can suggest. >>> >>> As "authorization" and "authentication" often times are used >>> interchangeably by developers when in fact they represent two distinctly >>> different topics. >>> >>> Teddy R. Payne, ACCFD >>> Google Talk - [email protected] >>> >>> >>> >>> >>> On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne < >>> [email protected]> wrote: >>> >>> >>> Hey Everyone, >>> >>> I am currently in the process of building my first secured site. Most >>> pages of the site will be behind a login page. I'm using ColdFusion's >>> Application.cfc onRequestStart function to check if a user is logged in or >>> not. Thats pretty much boiler plate. >>> >>> My concern is how to prevent an non authorized user from accessing or >>> hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc). >>> >>> Whats the best way to ensure a user can't link directly to these items >>> but instead be redirected to login.cfm instead? >>> >>> Is there a way to lock down an entire directory? >>> >>> Thank you for all your help >>> Emile >>> >>> >>> ------------------------------------------------------------- >>> To unsubscribe from this list, manage your profile @ >>> >>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >>> >>> For more info, see http://www.acfug.org/mailinglists >>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink <http://www.fusionlink.com> >>> ------------------------------------------------------------- >>> >>> >>> >>> ------------------------------------------------------------- >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >>> >>> For more info, see http://www.acfug.org/mailinglists >>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink <http://www.fusionlink.com> >>> ------------------------------------------------------------- >>> >>> >>> ------------------------------------------------------------- >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?falogin.edituserform<http://www.acfug.org/?falogin.edituserform> >>> >>> For more info, see http://www.acfug.org/mailinglists >>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by http://www.fusionlink.com >>> ------------------------------------------------------------- >>> >>> >>> >>> >> >> ------------------------------------------------------------- >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by FusionLink <http://www.fusionlink.com/> >> ------------------------------------------------------------- > > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink <http://www.fusionlink.com> > ------------------------------------------------------------- > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink <http://www.fusionlink.com> > ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
