When I have a File in Acumatica (such as an Inventory Item image) it has an "External Link" property such as https://.../Frames/GetFile.ashx?fileID=bdb9534c-6aa9-41fa-a65d-3119e32b0fe5
Even if the file is marked with "Is Public (the file ignores access rights and is visible to everybody)" this only works in the context of a signed in user. Logging out and attempting to access the file results in a redirect to the Acumatica Login. I need to be able to access these "Public" files externally without being logged into Acumatica such as in an <img src".." /> tag of a different site. Is there any way to achieve this? Is this the intended function of "Is Public" as it reads like the file should still be accessible with no authentication necessary. (Acumatica 2018 R1)
IsPublic files are visible to all logged in user and files are not served as static http resources. So even if you were able to see the image in the browser with the GetFile link I don't think it would work as the URL for SRC attribute of IMG tag which requires a static image resource.
Related
I have an API function that verifies a user's email but I dont really know what to do next. I want to redirect the user to an HTML page that says "your email has been verified" but I don't know if I should use res.sendFile() or res.redirect().
I tried both of them but res.sendFile doesn't work when I include images because if the API is /user/verifyEmail, any images I include in the HTML have src=/user/myimg for some reason and therefore they aren't sent or dislayed. I then tried res.redirect() with the HTML page placed in my apps static files and this works (with the images too) but it just feels wrong because anyone can open this page if they go to myapp/verification.html since the file is in the static folder.
What is the right thing to do here?
You can resolve this concern by adding middleware for securing that routes
but it just feels wrong because anyone can open this page if they go to myapp/verification.html since the file is in the static folder.
In conclusion, res.redirect() is the right thing to do here.
You have to set unique value in your path like
www.xyz.com/verification/unique_value
unique_value define that which user verify this page (you can encode user id and set as unique_value)
then you can use GET api for www.xyz.com/verification/unique_value this path
You can decode in api nad check it's user or not if it's user then you can display page(res.render()) else redirect to home page (res.redirect())
I got users and roles. Access to certain parts of the the content is denied in the ftls but I got the following problem:
I want prevent users from sharing pdf links.
These are formed like this:
http://localhost:8080/dam/jcr:c383c3c-a27a-4baf-856f-265baaf02142/mozillasecure.pdf
In the dam workspace I have two folders pdf and pdfsecure I want the pdfs in the pdf to be downloadable for all roles and the ones in the pdfsecure folder to be denied for ie. anonymous role..
How can I accomplish that?
Note: I thought about extending the DamURI2RepositoryMapping.java but I couldnt see it through, please help...
Is this a trick question? :)
Simply set content permission for anonymous role to "deny" on pdfsecure and subnodes via security app. Make sure to set it directly on public instance (author and public have different anonymous role configuration so you don't want to activate that).
Setting permission on the content level, in difference from setting it at URI level, makes sure content is not accessible via any URI.
HTH,
Jan
I have a website, which imports user controls (.ascx) into a directory of a live website.
Obviously, once the user control is imported into the directory, it is not actually 'part' of the website, it's just a .ascx file sitting in a directory on the website.
When I try to add the user control to a panel, I get a "Could not load type 'CMS.Modules.HelloWorld'." error.
Control content = LoadControl(#"~/Modules/" + ddlExtraModules.SelectedValue.ToString() + "/HelloWorld.ascx");
pnlSections.Controls.Add(content);
Is it actually possible to add user controls to a website 'on the fly'?
Looks like you can dynamically add ascx files to web applications as they are compiled at run time. Use them only on webforms and do not request them directly.
http://msdn.microsoft.com/en-us/library/system.web.ui.usercontrol.aspx
In addition, the designer creates the # Register directive, which is
required for the page to recognize the user control.
http://msdn.microsoft.com/en-us/library/5d0t5fak%28v=vs.80%29.aspx
Am developing my first Xpage application and have designed a login screen in domcfg.nsf. So when user types my url like Myrequest.com(dummy url) this should redirect me to the login page and then on succesful login attempt the page should be redirected to Myrequest pplication. Could you please let me know how to configure in server document or Internet site document. ?
As a first step,I executed the below points.
Enabled Load Internet configurations from server/Internet sites
documents in the basic tab of server document.
Created new web site document by clicking on web>>Internet sites Web
Site-Basic Tab::
a. Descriptive name for this site :myRequest.com;
b. Organization: testCompany;
c. Use this web site to handle requests which cannot be mapped to any other
web sites: NO ;
d. Host names or addresses mapped to this site: my local ip address;
e. Domino server that host this site : *
In Web Site-Configuration Tab::
a. Home URL : /myApp/myRequest.nsf?open
The rest of the configuration are all default's
When I tried opening myRequest.com no page is displayed. I guess i have made a mistake. Do i have to change any configurations ?
The way this works is:
Set up an internet site (remember to check that your Domino server is using internet sites (first tab in the server document)
The internet site should not contain any information about login - just the right path etc. for the domain/subdomain to point at the right page in the right database (and possibly url redirections, headers, etc.)
Now create the login form, e.g. in your application database (or any other applicable database). Make sure that you have the right fields on it for the login to work - and any error messages to be correctly shown. The easiest way is to look at the standard login form (its called "$$LoginUserForm") found in domcfg.nsf (if domcfg.nsf does not exist, just create it with that name based on advanced template "Domino Web Server Configuration (8)" (template file: domcfg5.ntf)
Now create a Sign In Form Mapping document in domcfg.nsf. Select the specific domain/subdomain that it applies to (or a default for all websites not using another specific sign-in form), specify the path to the database with the form (e.g. your application database), and specify the name of your login form in that database
Now you just need to turn on the mechanism that will require your users to log in. This is done in the ACL of your database. When a user is not logged in it will obey the rules of a person entry with the name "Anonymous". If this "person" is not present in the ACL it will of course obey the default settings. You will have to determine when you want your user to log in. If you specify "No Access" then you may have to set "public read" on some of your design elements for the login form to display properly (e.g. graphic files etc.) and then you should also allow the Anonymous person to read public files (in the ACL). You may also want users to be able to read content and only be forced to log in when they want to write/change something, in which case your Anonymous user would be reader and default (or a specific group, etc.) would be author/editor - but that is all about standard Domino security/ACL and not related to web/XPages ;-)
/John
I'm currently implementing the OpenNTF Multiple File Uploader by Mark Leusink.
This very nice custom control uses an xAgent to embed the selected file attachment into the target Notes document. Everything was working fine until I added Authors and Readers fields to the Notes documents. Now I'm getting a security error (402) when uploading the file.
My thought is the Upload xAgent can't edit the target document to attach the file. If I remove the security fields, everything works again.
My question is, do xAgents run with the same security as the current user? If not, can I set a "run as" user for the xAgent like I can for a Lotus Script agent?
I'd suggest that you look at the xAgent's code and rewrite it to use sessionAsSigner to access the database/document to upload the file. This will cause it to run as the signer of the application and bypass the security issues that your running into.
Both Tom's and Declan's answers are correct, but this doesn't count for the file uploader.
It uses a Flash component to do the actual uploading (called SWFUpload). Since browser cookies aren't shared with Flash, it can't send along the user's session cookie with the file and therefore to the Domino server the user performing the upload is nog logged in (aka Anonymous). That's why the uploader requires anonymous users to be allowed to read/write public documents in the ACL and the XPage/ XAgent handling the uploaded files (aUpload.xsp) is set to allow "public access users". It uses the sessionAsSigner object to access the database's content
Normally, the above settings would allow everyone to anonymously upload files. That's why I implemented a custom authentication solution based on an idea by Mark Barton: before every file is uploaded, a request is made to an XPage to retrieve a unique key. That XPage (aGetAuth.xsp) does run under the user's credentials and stores the key in a document in the database. This key is send along with the uploaded file and compared with the stored key. The upload is only allowed if the keys match.
First thing I'd check in your case if the code in the aUpload.xsp XAgent can read and write the target document using the sessionAsSigner call.
Mark, Declan, and Tim, thanks for jumping in.
I modified the xAgent **aGetAuth.xsp** to use sessionAsSigner to get the current database. At first I got the error "sessionAsSigner not found".
Google showed a quick answer was to re-sign the template before testing. After re-signing the template, twice, and preforming a "clean" everything works brilliantly.