If you make sure the link can only be accessed by loggedin users, and the download is linked to an completed order, security should be fine?
On Mon, 2011-05-16 at 14:04 +0000, Esch, Guido wrote: > Hi all, > > > currently i'm struggling with the handling of digital download products. > (Version is 1057550 but would guess we will merge to current trunk very soon > again) The "normal" handling works fine. Configuring the product, adding the > content, buying, download using the "downloadDigitalProduct" method works as > intended. > But in my system the contend is accessible using the "stream" url. (e.g. > /content/control/stream?contentId=12231) So if somebody knows ofbiz he might > get access to all downloads by simply guessing the content ids. There seems > be a way using a custom genericContentPermission Service. But to be honest, > for something like digital downloads i would guess there is a standard > mechanism like the one in downloadDigitalProducts which protects this files > in general, without writing a custom permission service. (which i haven't > discovered yet) But if its required to write a new one, are there any > suggestions to get this working an efficient way? I'm thinking of checking > the ProductContentType to make sure the digital downloads are not served > using the stream. But that sounds not very efficient to me. And it also leads > to some leaks as soon as the configuration gets inconsistent. (For some > reason the ProductContent is removed, but not the Content and Resource > entity.) Not more secure but although even slower, checking the > OrderRoleAndProductContentInfo to make the user has the permission to get > this content, but even than, i have to ensure its a digital download content. > My last idea, adding a custom attribute to the content when creating > (uploading the file) the content. But that feels like a quick fix to me. > Therefore i'm open to any suggestions. > > Best Regards, > > Guido Esch > > direkt gruppe > > networks direkt GmbH > Griegstraße 75, Haus 2 > 22763 Hamburg > Fon: +49 (40) 88155-0 > Fax: +49 (40) 88155-5200 > > mailto:[email protected] > www.direkt-gruppe.de > > > > > > > > > > > ________________________________ > > Rechtliche Hinweise: > > networks direkt Gesellschaft fuer Informationstechnologie mbH * > Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai > Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB > 83072 * USt-IdNr. DE812564499 > > solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * > Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils > Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 > > marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * > Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz > Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 > > Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg > > Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur > fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch > das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum > Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von > Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des > Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, > bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den > Absender umgehend zu benachrichtigen. > > This electronic mail transmission contains confidential information intended > only for the person(s) named. It is subject to the laws of mail secrecy and > may be protected by legal privileges. Any use, distribution, copying or > disclosure by another person is strictly prohibited without the consent of > the sender. If this transmission has been received in error, you are kindly > requested to delete it from your system and to contact the sender immediately. -- Ofbiz on twitter: http://twitter.com/apache_ofbiz Myself on twitter: http://twitter.com/hansbak Antwebsystems.com: Quality services for competitive rates.
