Re: [Zope-dev] access of non html documents
Hi Roberto, One solution is to provide a temporary identifyer via cookie, which gets set if the user sees your page but is not set if she wants to download it directly. A simple non guessable scrable mechanism using your page url, file url and probably ip of the downloader should do for the cookie value. File objects can have a precondition which refers to a method where you can evaluate the cookie and serve the file or refuse access (via raise Redirect,url) I would not recommend to use HTTP_REFERRER for this, because this is by no way relieable. Regards Tino --On Dienstag, 12. November 2002 16:11 -0800 General Info [EMAIL PROTECTED] wrote: i have the following situation. i want the users to be able to download non html documents if that document is refered to from an html document. however, i dont want the users to be able to type the url and document name on the url box of their browers and be able to download it. for example: the documents exist in http://www.wwwdotcom.com/nonhtmldocs/doc1.pdf however, i dont want the users to type that url on their browser and access doc1.pdf i only want them to access it if that particular document is linked from an html document. i have seen some websites that do that w/ images. how can i do that on zope? is it possible? i would appreciate any comments/suggesstions. -roberto ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] access of non html documents
i have the following situation. i want the users to be able to download non html documents if that document is refered to from an html document. however, i dont want the users to be able to type the url and document name on the url box of their browers and be able to download it. for example: the documents exist in http://www.wwwdotcom.com/nonhtmldocs/doc1.pdf however, i dont want the users to type that url on their browser and access doc1.pdf i only want them to access it if that particular document is linked from an html document. i have seen some websites that do that w/ images. how can i do that on zope? is it possible? i would appreciate any comments/suggesstions. -roberto
Re: [Zope-dev] access of non html documents
One way to do this is to peek at the HTTP_REFERER value coming from the browser before you serve the document. If the document is in a file object, then you can use a precondition for this, which is a callable object. It could be written as follows in a python script: request = context.REQUEST if not request.HTTP_REFERER.startswith(request.SERVER_URL): raise 'NotFound' If you make a script and then specify it for the preconditions of your files, then it would only allow downloads coming from another URL on your site. No direct URL or linking from outside would be allowed with a standard browser. However, one could easily circumvent this by spoofing the HTTP_REFERER on the client. This would assume a certain level of sophistication on the part of the would be spoofer. To make it a bit harder you could use sessions or cookies and validate those in your precondition instead. This would be harder to fool if you did it right. -Casey On Tuesday 12 November 2002 07:11 pm, General Info wrote: i have the following situation. i want the users to be able to download non html documents if that document is refered to from an html document. however, i dont want the users to be able to type the url and document name on the url box of their browers and be able to download it. for example: the documents exist in http://www.wwwdotcom.com/nonhtmldocs/doc1.pdf however, i dont want the users to type that url on their browser and access doc1.pdf i only want them to access it if that particular document is linked from an html document. i have seen some websites that do that w/ images. how can i do that on zope? is it possible? i would appreciate any comments/suggesstions. -roberto ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )