Unable to secure Pdfs uploaded in Documents & Files - Front- & Back-End Development - Front- & Back-End Development - Progress Community
 Front- & Back-End Development

Unable to secure Pdfs uploaded in Documents & Files

  • Unable to secure Pdfs uploaded in Documents & Files
  • Hi all,

    I uploaded pdfs from Content > Documents & files. I show these pdfs to front end website when someone search the pdfs. The url of uploaded pdf is something like this: 

    localhost:11111/.../mypdf.pdf

    I want to develope like when someone click on the link user must be redirect to my custom login page. And after login my custom user will be able to see same pdf.

    For it i created my custom httphandler and code is below:

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;

    namespace SitefinityWebApp.App_Code

        /// <summary>
        /// Summary description for CustomPdfHandler
        /// </summary>
        public class CustomPdfHandler : IHttpHandler, System.Web.SessionState.IRequiresSessionState
        

            public void ProcessRequest(HttpContext context)
            
                if (context.Session["UserName"] == null)

                //if (!context.User.Identity.IsAuthenticated)
                
                    context.Response.Redirect("/login?ReturnUrl=" + HttpContext.Current.Request.RawUrl.ToString());
                    context.Response.StatusCode = 401;
                    return;
                

                var url = context.Request.CurrentExecutionFilePath;

                if (string.IsNullOrEmpty(url)) return;

                HttpContext.Current.Response.ClearContent();
                HttpContext.Current.Response.ClearHeaders();
                HttpContext.Current.Response.AddHeader("Content-Disposition", string.Format("filename=0", url));
                HttpContext.Current.Response.AddHeader("Content-Type", "application/pdf");
                HttpContext.Current.Response.WriteFile(url);
                HttpContext.Current.Response.End();
            

            public bool IsReusable
            
                get
                
                    return false;
                
            
        



    I added below line in <httphandlers>

    <add verb="*" path="*.pdf" type="SitefinityWebApp.App_Code.CustomPdfHandler, App_Code" validate="false"/>

    And below line in <handlers>

    <add name="PdfRestrict" path="*.pdf" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv4.0,bitness32"/>


    The code works fine with static pdf link that i added in visual studio in doc folder mypdf.pdf but not working with pdf i uploaded in Documents & Files !!

    Please help me asap.. It is very urgent..

    Kind Regards,
    Nirav.
  • So using the Sitefinity link builder the handler is not getting fired off?
  • Jonathan,

    Yes and i want to fire it off and provide some other solution if it is available to secure pdf from front end users and redirect it to custom login page when click on link of pdf in sitefinity search result widget links.

    Kind Regards.
  • Mrakr my words that I have custom table of my users. I want my users to open pdf not the users from sitefinity backend..!!

    Hope i will find the solution.

    Kind Regards,
    Nirav Golani. 
  • Hi,

    The http handler is one way to handle all .pdf requests and register the handler in web.config
    <add name="RestrictPdfs" verb="*" path="*.pdf" type="SitefinityWebApp.App_Code.YourCustomHandler, App_Code" resourceType="Unspecified" />

    Please take a look at the following article for handler registration in different versions of IIS.
    The handler will handle cases when any .pdf file is requested by user.
    As an alternative if you are using the download list widget from sitefinity to display a list of pdfs add logic to the widget template for download list widget that will redirect the user upon clicking a link to view pdf, here is a blog post that explains how to perform modifications to existing widgets or if this is not the case let me know how how are the pdf files displayed on the site, in a custom control or sitefinity download list widget.

    Regards,
    Stanislav Velikov
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Stanislav,

    Thanks for the reply.

    I registerd the handler as you suggested in integrated mode. But still i can't handle pdf files. I display all the pdf files in search results widget. What i want is to when some one search pdf file in search widget, Site will display pdf. I did this, But now when someone click on the link of pdf in search results widget it must handle the handler and redirect me to my custom login page.

    Here is the web.config code i used in <handlers> section

    <add name="PdfRestrict" path="*.pdf" verb="*" type="SitefinityWebApp.App_Code.CustomPdfHandler, App_Code" resourceType="Unspecified" />

    Am i missing something or what ? because still i am unable to handle pdf files.

    Thanks in advance and Regards,
    Nirav Golani.
  • Did you ever find a way to secure Files and documents?  I was just notified that people were able to google search and find our docuements and download them.  Very insecure.  I need a way to lock them down so only certain roles can access them.
  • Hello,

    This can also be achieved using the events for media content in sitefintiy, refer to this documentation and the event IMediaContentDownloadingEvent which is fired when a document or other media has started download.
    Here the event can handle download of specific files as in the event arguments all document/image/video data is present and the document can be checked as well as the current user and perform redirects to a registration page if needed.

    Stanislav Velikov
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Hello Stanislav. Thank you for your response to our questions. I see that your latest post on this was from November 2013. Is the IMediaContentDownloadingEvent still the best way to secure files accessed from password-protected pages on a Sitefinity website? The goal is to prevent users from copying/pasting the document URL into an email or another browser session, thereby bypassing the login requirement when the link is accessed from a secure page. Also of course, to prevent Google from indexing the files as Theordore mentioned.

     

    Shelly Ryder