bugs unauthorized users access pdf files knowing the link

Please report bugs and any annoyances here. Kindly include all possible details: steps to reproduce, expected result, actual result, screenshots, ... etc.
Post Reply
facos79
Veteran Member
Posts: 64
Joined: 2014-10-29 12:31

bugs unauthorized users access pdf files knowing the link

Post by facos79 » 2018-12-04 17:27

Hello everyone, I have a problem to solve urgently: I created an application with appgini with which the user can upload some pdf documents to his own private area. These documents must be accessible only to the user who uploaded them. But there is a problem: these documents a vote saved on the server are also accessible to those who know the link and has not logged in. how do I block access to who knows the link?
Thank you.


---- in italiano ---

Ciao a tutti, ho un problema da risolvere urgentemente: ho creato un'aplicazione con appgini con la quale l'utente può caricare nella propria area riservata alcuni documenti pdf. Questi documenti devono essere accessibili solo all'utente che li ha caricati. C'è però un problema: questi documenti una vota salvati sul server sono accessibili anche a chi conosce il link e non ha eseguito l'accesso. come faccio a bloccare l'accesso a che conosce il link ?
Grazie.

User avatar
a.gneady
Site Admin
Posts: 992
Joined: 2012-09-27 14:46
Contact:

Re: bugs unauthorized users access pdf files knowing the link

Post by a.gneady » 2018-12-05 11:07

Please don't post duplicate posts ... I removed the other duplicates of this post.

You could try adding this to an .htaccess file in the upload folder:

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} \.mydomain\.com [NC]
RewriteRule \.pdf$ - [F,L]
Change 'mydomain\.com' to the domain name of your server -- note the slash before the dot.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

:arrow: Summary Reports plugin enables you to build powerful reports and charts inside your AppGini application through a few simple steps. See the big picture and discover trends in your data that empower you to take the right decisions confidently.

:arrow: Search Page Maker enables you to build user-friendly yet powerful search pages for your AppGini application by simply dragging and dropping the fields you want to include in search.

facos79
Veteran Member
Posts: 64
Joined: 2014-10-29 12:31

Re: bugs unauthorized users access pdf files knowing the link

Post by facos79 » 2018-12-05 11:15

Hello,
I apologize for the double post.
I had first published it incorrectly in another section.
Thank you for the information. From the middle of the year we have to respect the new European regulation on privacy and documents should only be accessible to those who have access to the database. So it is essential that the software blocks unwanted access not only to information entered in the fields but also to uploaded documents.

I try and let you know if it works.

Thank you.

Greetings


--------------------------
Ciao,
Mi scuso per il doppio post.
L'avevo pubblicato prima erroneamente in un'altra sezione.
Ti ringrazio per l'informazione. Da metà anno dobbiamo rispettare il nuovo regolamento europeo sulla privacy e i documenti dovrebbero essere accessibili solamente a chi possiede le credenziali di accesso al database. Quindi è fondamentale che il software blocchi l'accesso indesiderato non solo alle informazioni inserite nei campi ma anche ai documenti caricati.

Provo e ti faccio sapere se funziona.

Grazie.

Saluti

facos79
Veteran Member
Posts: 64
Joined: 2014-10-29 12:31

Re: bugs unauthorized users access pdf files knowing the link

Post by facos79 » 2018-12-05 12:57

a.gneady wrote:
2018-12-05 11:07
Please don't post duplicate posts ... I removed the other duplicates of this post.

You could try adding this to an .htaccess file in the upload folder:

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} \.mydomain\.com [NC]
RewriteRule \.pdf$ - [F,L]
Change 'mydomain\.com' to the domain name of your server -- note the slash before the dot.

Hi, I created the .htaccess file in the upload folder. Knowing the link of the pdf and without having logged in as a user, the file also opens from a browser.

I tried to write in .htaccess this too:

Code: Select all

<Files ~ "^\.(htaccess|htpasswd)$">
deny from all
</Files>
Options Indexes
order deny,allow
So the file does not open but can not open even the user who has logged in to the database manager.

User avatar
a.gneady
Site Admin
Posts: 992
Joined: 2012-09-27 14:46
Contact:

Re: bugs unauthorized users access pdf files knowing the link

Post by a.gneady » 2018-12-05 13:09

Hmm ... basic questions first:

1. Is mod rewrite enabled on your server? To check it, please follow the steps here: https://stackoverflow.com/a/10891317/1945185
2. Do you see any error reported in the server error_log after creating the .htaccess file?
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

:arrow: Summary Reports plugin enables you to build powerful reports and charts inside your AppGini application through a few simple steps. See the big picture and discover trends in your data that empower you to take the right decisions confidently.

:arrow: Search Page Maker enables you to build user-friendly yet powerful search pages for your AppGini application by simply dragging and dropping the fields you want to include in search.

facos79
Veteran Member
Posts: 64
Joined: 2014-10-29 12:31

Re: bugs unauthorized users access pdf files knowing the link

Post by facos79 » 2018-12-06 12:40

Hello,
yes the 'mod rewrite' is active. I am attaching the newly downloaded logs.
Here is an example of the link to which only registered users should log in. Instead knowing the link you can open the file (this is a test) you too:

https://fabiocostanzo.it/assistenza/ima ... e86c4a.pdf
Attachments
errore appgini pdf.JPG
log
errore appgini pdf.JPG (130.55 KiB) Viewed 810 times

facos79
Veteran Member
Posts: 64
Joined: 2014-10-29 12:31

Re: bugs unauthorized users access pdf files knowing the link

Post by facos79 » 2018-12-07 17:21

Hi, how did I try to put this code in the .htaccess file:

Code: Select all

<Files ~ ".+"> 
Order allow,deny 
Deny from all 
Satisfy All 
</Files> 
the files in the pdf in the image folder are blocked and can not be opened from links. Only the user can open them by clicking on the file name in the application appgini and with the right mouse button selecting 'save as'.
Would it be possible to allow only users logged in to view files in the browser without having to save them?

appgini is an excellent application and would be very nice if it could generate secure code automatically even as regards the uploaded files (photos, images, zip pdf etc etc)

User avatar
a.gneady
Site Admin
Posts: 992
Joined: 2012-09-27 14:46
Contact:

Re: bugs unauthorized users access pdf files knowing the link

Post by a.gneady » 2019-01-09 14:15

Would it be possible to allow only users logged in to view files in the browser without having to save them?
Hmm .. once a file is viewable in the browser, there is no way to prevent users from saving it. You might find scripts for preventing right-clicking an object (to hide the 'Save as' option) but they can be very easily circumvented.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

:arrow: Summary Reports plugin enables you to build powerful reports and charts inside your AppGini application through a few simple steps. See the big picture and discover trends in your data that empower you to take the right decisions confidently.

:arrow: Search Page Maker enables you to build user-friendly yet powerful search pages for your AppGini application by simply dragging and dropping the fields you want to include in search.

mghielmi
Posts: 2
Joined: 2019-01-08 01:27

Re: bugs unauthorized users access pdf files knowing the link

Post by mghielmi » 2019-01-16 08:57

To protect download of PDF I've used this method.

2 files (in images folder, the folder where files are upload)
1 .htaccess
2. protect.php

.htaccess

Code: Select all

RewriteEngine on
RewriteRule .* protect.php
protect.php

Code: Select all

<?php

	define('PREPEND_PATH', '../');
	$hooks_dir = dirname(__FILE__);
	include("$hooks_dir/../defaultLang.php");
	include("$hooks_dir/../language.php");
	include("$hooks_dir/../lib.php");
	
	/* grant access to the groups 'Admins' and 'Other'*/
	$mi = getMemberInfo();
	if(!in_array($mi['group'], array('Admins', 'Other'))){
		header("location: /");
		exit;
	} else {
        //Check if user has right to access the file. If no, show access denied and exit the script.
        $path = $_SERVER['REQUEST_URI'];
        $paths = explode('/', $path);
        $lastIndex = count($paths) - 1;
        $fileName = $paths[$lastIndex];
        header('Content-type: application/pdf');
        header("Content-Disposition: inline; filename=$fileName");
        readfile($fileName);
    }

User avatar
a.gneady
Site Admin
Posts: 992
Joined: 2012-09-27 14:46
Contact:

Re: bugs unauthorized users access pdf files knowing the link

Post by a.gneady » 2019-01-19 10:24

Very nice tip @mghielmi. Thanks so much for sharing :)
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

:arrow: Summary Reports plugin enables you to build powerful reports and charts inside your AppGini application through a few simple steps. See the big picture and discover trends in your data that empower you to take the right decisions confidently.

:arrow: Search Page Maker enables you to build user-friendly yet powerful search pages for your AppGini application by simply dragging and dropping the fields you want to include in search.

facos79
Veteran Member
Posts: 64
Joined: 2014-10-29 12:31

Re: bugs unauthorized users access pdf files knowing the link

Post by facos79 » 2019-01-29 21:09

Excellent solution!
It works perfectly. Just what I was looking for.
Thanks thanks thanks!


--------

Ottima soluzione!
Funziona perfettamente. Proprio quello che stavo cercando.
Grazie, Grazie, Grazie!

Post Reply