Secure pages and documents
I need to protect documents in my Sitefinity 5.0.1 site.
If the user has not authenticated, then it cannot simply download the documents.
I found a similar post, and solution in the following forum post, but it's for Sitefinity 3.7 only.
I needed for 5.01....thanks, Ming
Hello, anyone here??
The previous article talked about adding code to pipeline ContentHttpHandler, but this handler is only in 3.7.
There is no such handler in 5.0.1, and the closest httpHander that I can see looks like :
<add verb="*" path="Telerik.Sitefinity.FilesDownloadHandler.ashx" type="Telerik.Sitefinity.Modules.Files.FilesDownloadHandler,
Telerik.Sitefinity" />
However, I cannot find such FilesDownloadHandler.ashx either....Anyone?
Thanks, Ming
Hi Ming,
This is handled by default/ The documents themselves have permissions around them. This means that you can state globally that you only want authenticated users to be able to view a document.
Go to Documents and Files and on the right hand side you will see permissions. There you can set the global permissions on documents. By default all documents and libraries inherit those global permissions but you can break this inheritance and have individual permissions per documents or per libraries which allows you to get very granular. Here is a video of how you set the global permissions and then break the inheritance for a single document and here is the documentation on the topic as well.
Sitefinity by default has an HTTP handler that looks at the permissions for documents. Document listings will not display documents that we are not allowed to view and on top of this If anybody who is not allowed to view the document tries to access it via direct link, the HTTP handler takes care of this and returns a 403 'unauthorized request'
I hope this information helps!
All the best,
Hi Svetla,
Thanks for the reply, and it's helpful to know about the built in security around the Sitefinity documents. However, in our case, we actually don't have logged in user; instead, we are employing eloqua's gated forms; therefore, whether the user can download any documents is actually by checking against the eloqua's cookie. So, we are still interested in having the pipeline solution, like the previous article in Sitefinity 3.7. And in this pipeline, we will have to disallow document download if the eloqa cookie is not there.
Thanks, Ming
Hi Ming,
This is handled in the LibraryHTTPHandler. There are a couple of extension points here. The entire logic is in the LibraryHTTPHandler.ProcessRequest method where exxentially we look at the request for a document and we perform the following:
Raise a downloading event before the response. The event is of type IMediaContentDownloadingEvent(docs) and also raises a Downloaded event once the request is sent. In your case you can hook to the DownloadingEvent.
Side Note: There is another extension point that has to do with forum attachment and downloadable goods. The HTTP handler for documents asks if a download is allowed through a class implementing IDownloadSecurityProvider that only has one method called IsAllowed which basically returns a bool. For example if a user is trying to access a downlaodable product and hasn't purchased it it fires off and returns a false. This probalby doesn't apply much for your case but just for reference of others here is how you can hook to those and insert logic for restricting digital downloads purchased for Ecommerce. You would register this as such in global.asax.
ObjectFactory.Container.RegisterType(typeof(IDownloadSecurityProvider), typeof(DownloadableGoodsCustomSecurityProvider), DownloadableGoodsCustomSecurityProvider.SecurityProviderName, new ContainerControlledLifetimeManager(), new InjectionConstructor());