I need to develop a site on Drupal 7. I have some content types with File fields in CCK. And access to nodes of these types should be granted only to specific Drupal user role. And at any moment site administrator should be able to make these Nodes 'public' or 'private'.
I can make nodes visible only to specific user roles, but this is not secure enough. If anonymous user knows the path to file ( www.mysite.org/hidden_files/file1 ), he can download it.
What is the most elegant way to solve this problem?
Thanks in advance.
Check out this documentation here: http://drupal.org/documentation/modules/file
Specifically, the section titled "Managing file locations and access" which talks about setting up a private data store (all supported by Drupal 7, it just needs to be configured).
To paraphrase, create a folder such as:
sites/default/files/private
Put a .htaccess file in that folder with the following to prevent direct access to the files via the web:
Deny from all
(the documentation claims that the following step does the above steps automatically, I haven't tested that unfortunately but you may be able to save some time if you skip the above two steps)
Log into Drupal's admin interface, go to /admin/config/media/file-system, configure the private URL and select Private Files Served by Drupal as the default download method.
In order to define the fine-grained access to nodes and fields, you can use Content Access: http://drupal.org/project/content_access
You will also need to edit your content types and set the file / image upload fields to save the uploaded files into Private Files instead of Public Files.
At this point, the node and field level permissions will determine whether or not users are allowed to access the files which will be served through menu hooks that verify credentials before serving the file.
Hope this helps.
Related
I'm fairly new to web development and I can't really find the best way to handle serving files with Django.
My situation is:
I have users from different departments that can upload, edit and download files. Users should have access to files from other users of the same department, but not of the others.
The way it works until now is: each file path is written in a database, with a reference to which department it belongs. If requesting a file Django checks if the department of the user is the same as the file, and denies access if that is not the case. So it's implemented using a normal view that returns a StreamingHttpResponse.
After researching a bit it seemed that serving files that way isn't the standard way, and I should serve them as static files (from the web server, not directly by Django). My question is: can I still restrict the access of static files, or can anyone read them?
Is anyone familiar with DNN 9 platform here? If so could someone direct me how to upload an svg file to the server. In older version of DNN(8,7 etc) there was a setting in the Host List settings where you could enable the file type, however in DNN these pages have been removed from the user interface.
The following command has been run in SSMS:
INSERT INTO Lists (ListName, Value, Text, DefinitionID, SystemList)
VALUES ('ImageTypes', 'svg', 'Scalable Vector Graphics', '-1', 'True');
This created a new line in the database, however when I try to upload a svg file it still show wrong format (The Allowed Filetypes are: "bmp,gif,jpeg,jpg,png").
Can someone direct me perhaps where can the svg file type be enabled?
Many thanks!
The option to add file types is still there. It has been moved and has a different name. Go to:
Settings > Security > More
There is a tab there called More Security settings. There you will find the Allowable File Extensions
Some DNN sites allow users to upload certain files to their sites. A malicious can upload an SVG file which can contain some malicious code to steal some users’ sensitive data (cookies, etc.)
I want to export a table to an Excel file. I need to export a report.
ORA_EXCEL.new_document;
ORA_EXCEL.add_sheet('Sheet name');
ORA_EXCEL.query_to_sheet('select * from mytable');
ORA_EXCEL.save_to_blob(myblob);
I saved my table to blob.
How do I export/respond to the user (client)?
I need something that is simple to allow a user to be able to download an Excel file to their own computer. I tried doing this procedure in an Oracle workflow:
ORA_EXCEL.save_to_file('EXPORT_DIR', 'example.xlsx');
But this did not help, because it is saves the file to a directory on the server and I need it in the real server.
The way I have handled similar issues in the past was to work with the systems people to mount a directory from either a web server or file server on the Database server.
Then create a directory object so that the procedure can save to a location that is accessible to the user.
If the files are not sensitive and there are a limited number of users then a file server makes sense as it is then just a matter of giving the user access to the file share.
If files are sensitive or this is a large number or unknown users we then used the Web server and sent a email with a link to the user enabling them to download their file. Naturally there needs to be security built into this to stop people being able to download other users files.
We didn't just email the files as an attachment because...
1) Emails with attachments tend to get blocked
2) We always advise not to open attachments on emails. (Yes I know we advise not to click on links as well but nothing is perfect)
Who or what is invoking the production of the document?
If it´s done by an application, which the user is working on, this application can fetch the BLOB, stores it at f.e. TEMP-Directory and calls
System.Diagnostics.Process.Start("..."); to open it with the associated application. (see Open file with associated application)
If it´s a website, this one could stream the blob back as Excel-Mimetype (see Setting mime type for excel document)
Also you could store in an Oracle-DIRECTORY, but this one has to be on the server and should be a netword-share to be accessible for clients (which is rarely accepted in a productive environment!)
If MAIL isn´t the solution, then maybe FTP can be a way to store files in a common share. See UTL_TCP - Package, with this a FTP-transfer can be achieved (a bit hard to code, but there are solutions to find in the web) and I guess, professional tools that generate Office-documents out of Oracle-DB and distribute them do it like this.
Currently I'm working on a web project (Classic Asp) and I'm going to make an upload form.
Folklore says:
"Don't use the real name to save the uploaded files"
.
What are the problems, dangers, from the security point of view ?
Proper directory permissions should stop most of this stuff but I suppose for file names a potential danger is that they could name it something like "../Default.asp" or "../Malware.asp" or some other malicious path attempting to overwrite files and/or have an executable script on your server.
If I'm using a single upload folder, I always save my users uploads with a GUID file name just because users aren't very original and you get name conflicts very often otherwise.
I'm using CF9. My problem pertains to an admin application that sets session variables at login to identify the user and user permissions. Depending on the user level, certain pages are allowed for viewing and other pages are not allowed. (I'll refer to this as my 'security framework'. This is wrapped around everything in the root.)
This security framework consists of a cfif statement at the top of the CFM page and a closing cfelse and (</)cfif at the bottom of the page. Everything between this opening cfif and closing cfif displays if the user has that level permission - standard stuff.
Certain users can upload PDF files, no problem here. PDF files are uploaded to a folder outside of the root and then moved and renamed to folders inside the root.
When uploading, the user chooses categories and subcategories etc. and these variables are inserted in a SQL database during the upload process. Therefore, I have filePaths and fileNames, etc. to set up dynamic links on a page for a user to click and load the PDF (password protected) in the browser.
I have the dynamic link pointing to a ShowThisPDF.cfm? with URL variables filePath= #filePath# & fileName = #fileName#. I've set up the ShowThisPDF.cfm with the security framework at the top and bottom of the page and am trying to copy the uploaded PDF into this page so that the PDF will display in the browser.
I've tried many ways to do this with cfdocument and cfpdf and cfcontent, etc. When I read the error that this is throwing, it does look like it is reaching the uploaded file but I get an "access denied" every time, due to the security framework I suppose.
On a side note, elsewhere in this application I can create a PDF from my cf pages with cfdocument with the security framework wrapped around the page and this works perfectly - displaying the PDF in the browser. My problem is in loading an existing PDF into a CFM page that has the security framework - which should allow the PDF to load.
Anyone have an idea as to how I can accomplish the above? I hate to try and bypass my security and it seems logical to "copy" the uploaded PDF into a CFM page that wraps the PDF in the security framework and then display the PDF in the browser.
Agree with Dan - I had similar issue. So I ended up doing https: with a windows login and also a ColdFusion Login to Web Application. At end of day - they need 2 logins to get into the system - then they can see the pdf files etc or what they need.