Hi Jacopo,
thanks a lot for this details. I didn't realize the isPublic treatment for
permission services. For none public resources it sounds like a straight
forward task getting this to work. Time to tweak the digital download admin
screen services a bit to make sure the content is not public. Based on this i
can follow your suggestions to get this done.
Best Regards,
Guido
Am 22.05.2011 um 09:18 schrieb Jacopo Cappellato:
Hi Guido,
if the DataResource.isPublic flag is set to Y then the system will not run the
permission service and the resource will be available to all the users.
Otherwise the permission service will be executed before the resource is
streamed back to the user. As you have mentioned the default permission service
is genericContentPermission but you can create a new custom one and use it in
place of genericContentPermission by setting the following property:
stream.permission.service
in applications/content/config/content.properties
My bet is that you will need to create your custom permission service and it
shouldn't be a difficult task because you can focus on your specific
requirements and choose to only deal with them; I am sure you will get
help/suggestion from this list if you will need it; at this point my only
suggestion is: before you start make sure that your use cases are clear and
well defined (what are the actors and what are the content types, and what are
the rules to give access to content to actors); as soon as you will have them
it will be easier to implement a service like:
<service name="customContentPermission" engine="..." auth="true"
location="..." invoke="customContentPermission">
<description>Custom Content Permission Service</description>
<implements service="permissionInterface"/>
<attribute name="contentId" type="String" mode="IN" optional="true"/>
</service>
In it you will receive(when the "stream" uri is hit) the "userLogin" object
and the "contentId" you will run your custom logic and then you will return the
Boolean hasPermission field back.
I hope it helps,
Jacopo
On May 17, 2011, at 11:42 AM, Esch, Guido wrote:
not exactly. The requirement might differ on the different types of content.
For digital download content, you are right. For all other content types it
should be accessible for anyone. (e.g. the standard fancy flash banner, every
shop needs)
Am 17.05.2011 um 07:03 schrieb Hans Bakker:
If you make sure the link can only be accessed by loggedin users, and
the download is linked to an completed order, security should be fine?
On Mon, 2011-05-16 at 14:04 +0000, Esch, Guido wrote:
Hi all,
currently i'm struggling with the handling of digital download products.
(Version is 1057550 but would guess we will merge to current trunk very soon
again) The "normal" handling works fine. Configuring the product, adding the
content, buying, download using the "downloadDigitalProduct" method works as
intended.
But in my system the contend is accessible using the "stream" url. (e.g.
/content/control/stream?contentId=12231) So if somebody knows ofbiz he might
get access to all downloads by simply guessing the content ids. There seems be
a way using a custom genericContentPermission Service. But to be honest, for
something like digital downloads i would guess there is a standard mechanism
like the one in downloadDigitalProducts which protects this files in general,
without writing a custom permission service. (which i haven't discovered yet)
But if its required to write a new one, are there any suggestions to get this
working an efficient way? I'm thinking of checking the ProductContentType to
make sure the digital downloads are not served using the stream. But that
sounds not very efficient to me. And it also leads to some leaks as soon as
the configuration gets inconsistent. (For some reason the ProductContent is
removed, but not the Content and Resource entity.) Not more secure but although
even slower, checking the OrderRoleAndProductContentInfo to make the user has
the permission to get this content, but even than, i have to ensure its a
digital download content. My last idea, adding a custom attribute to the
content when creating (uploading the file) the content. But that feels like a
quick fix to me. Therefore i'm open to any suggestions.
Best Regards,
Guido Esch
direkt gruppe
networks direkt GmbH
Griegstraße 75, Haus 2
22763 Hamburg
Fon: +49 (40) 88155-0
Fax: +49 (40) 88155-5200
mailto:[email protected]
www.direkt-gruppe.de<http://www.direkt-gruppe.de>
________________________________
Rechtliche Hinweise:
networks direkt Gesellschaft fuer Informationstechnologie mbH *
Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai
Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB
83072 * USt-IdNr. DE812564499
solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer
* Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz
Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829
marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH *
Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz
Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207
Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg
Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer
die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das
Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz
der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder
Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders
untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie
hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu
benachrichtigen.
This electronic mail transmission contains confidential information intended
only for the person(s) named. It is subject to the laws of mail secrecy and may
be protected by legal privileges. Any use, distribution, copying or disclosure
by another person is strictly prohibited without the consent of the sender. If
this transmission has been received in error, you are kindly requested to
delete it from your system and to contact the sender immediately.
--
Ofbiz on twitter: http://twitter.com/apache_ofbiz
Myself on twitter: http://twitter.com/hansbak
Antwebsystems.com<http://Antwebsystems.com>: Quality services for competitive
rates.
Mit freundlichem Gruß
Guido Esch
direkt gruppe
networks direkt GmbH
Griegstraße 75, Haus 2
22763 Hamburg
Fon: +49 (40) 88155-0
Fax: +49 (40) 88155-5200
mailto:[email protected]
www.direkt-gruppe.de<http://www.direkt-gruppe.de>
________________________________
Rechtliche Hinweise:
networks direkt Gesellschaft fuer Informationstechnologie mbH *
Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai
Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB
83072 * USt-IdNr. DE812564499
solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer
* Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz
Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829
marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH *
Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz
Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207
Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg
Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer
die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das
Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz
der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder
Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders
untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie
hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu
benachrichtigen.
This electronic mail transmission contains confidential information intended
only for the person(s) named. It is subject to the laws of mail secrecy and may
be protected by legal privileges. Any use, distribution, copying or disclosure
by another person is strictly prohibited without the consent of the sender. If
this transmission has been received in error, you are kindly requested to
delete it from your system and to contact the sender immediately.
Mit freundlichem Gruß
Guido Esch
direkt gruppe
networks direkt GmbH
Griegstraße 75, Haus 2
22763 Hamburg
Fon: +49 (40) 88155-0
Fax: +49 (40) 88155-5200
mailto:[email protected]
www.direkt-gruppe.de
________________________________
Rechtliche Hinweise:
networks direkt Gesellschaft fuer Informationstechnologie mbH *
Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai
Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB
83072 * USt-IdNr. DE812564499
solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer
* Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz
Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829
marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH *
Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz
Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207
Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg
Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer
die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das
Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz
der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder
Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders
untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie
hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu
benachrichtigen.
This electronic mail transmission contains confidential information intended
only for the person(s) named. It is subject to the laws of mail secrecy and may
be protected by legal privileges. Any use, distribution, copying or disclosure
by another person is strictly prohibited without the consent of the sender. If
this transmission has been received in error, you are kindly requested to
delete it from your system and to contact the sender immediately.
