Unable to secure Pdfs uploaded in Documents & Files

Posted by Community Admin on 04-Aug-2018 14:21

Unable to secure Pdfs uploaded in Documents & Files

Sitefinity - Front- & Back-End Development

All Replies

Posted by Community Admin on 27-Jun-2013 00:00

Hi all,

I uploaded pdfs from Content > Documents & files. I show these pdfs to front end website when someone search the pdfs. The url of uploaded pdf is something like this: 

localhost:11111/.../mypdf.pdf

I want to develope like when someone click on the link user must be redirect to my custom login page. And after login my custom user will be able to see same pdf.

For it i created my custom httphandler and code is below:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;

namespace SitefinityWebApp.App_Code

    /// <summary>
    /// Summary description for CustomPdfHandler
    /// </summary>
    public class CustomPdfHandler : IHttpHandler, System.Web.SessionState.IRequiresSessionState
    

        public void ProcessRequest(HttpContext context)
        
            if (context.Session["UserName"] == null)

            //if (!context.User.Identity.IsAuthenticated)
            
                context.Response.Redirect("/login?ReturnUrl=" + HttpContext.Current.Request.RawUrl.ToString());
                context.Response.StatusCode = 401;
                return;
            

            var url = context.Request.CurrentExecutionFilePath;

            if (string.IsNullOrEmpty(url)) return;

            HttpContext.Current.Response.ClearContent();
            HttpContext.Current.Response.ClearHeaders();
            HttpContext.Current.Response.AddHeader("Content-Disposition", string.Format("filename=0", url));
            HttpContext.Current.Response.AddHeader("Content-Type", "application/pdf");
            HttpContext.Current.Response.WriteFile(url);
            HttpContext.Current.Response.End();
        

        public bool IsReusable
        
            get
            
                return false;
            
        
    



I added below line in <httphandlers>

<add verb="*" path="*.pdf" type="SitefinityWebApp.App_Code.CustomPdfHandler, App_Code" validate="false"/>

And below line in <handlers>

<add name="PdfRestrict" path="*.pdf" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv4.0,bitness32"/>


The code works fine with static pdf link that i added in visual studio in doc folder mypdf.pdf but not working with pdf i uploaded in Documents & Files !!

Please help me asap.. It is very urgent..

Kind Regards,
Nirav.

Posted by Community Admin on 27-Jun-2013 00:00

So using the Sitefinity link builder the handler is not getting fired off?

Posted by Community Admin on 28-Jun-2013 00:00

Jonathan,

Yes and i want to fire it off and provide some other solution if it is available to secure pdf from front end users and redirect it to custom login page when click on link of pdf in sitefinity search result widget links.

Kind Regards.

Posted by Community Admin on 29-Jun-2013 00:00

Mrakr my words that I have custom table of my users. I want my users to open pdf not the users from sitefinity backend..!!

Hope i will find the solution.

Kind Regards,
Nirav Golani. 

Posted by Community Admin on 02-Jul-2013 00:00

Hi,

The http handler is one way to handle all .pdf requests and register the handler in web.config

<add name="RestrictPdfs" verb="*" path="*.pdf" type="SitefinityWebApp.App_Code.YourCustomHandler, App_Code" resourceType="Unspecified" />

Please take a look at the following article for handler registration in different versions of IIS.
The handler will handle cases when any .pdf file is requested by user.
As an alternative if you are using the download list widget from sitefinity to display a list of pdfs add logic to the widget template for download list widget that will redirect the user upon clicking a link to view pdf, here is a blog post that explains how to perform modifications to existing widgets or if this is not the case let me know how how are the pdf files displayed on the site, in a custom control or sitefinity download list widget.

Regards,
Stanislav Velikov
Telerik
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 03-Jul-2013 00:00

Stanislav,

Thanks for the reply.

I registerd the handler as you suggested in integrated mode. But still i can't handle pdf files. I display all the pdf files in search results widget. What i want is to when some one search pdf file in search widget, Site will display pdf. I did this, But now when someone click on the link of pdf in search results widget it must handle the handler and redirect me to my custom login page.

Here is the web.config code i used in <handlers> section

<add name="PdfRestrict" path="*.pdf" verb="*" type="SitefinityWebApp.App_Code.CustomPdfHandler, App_Code" resourceType="Unspecified" />

Am i missing something or what ? because still i am unable to handle pdf files.

Thanks in advance and Regards,
Nirav Golani.

Posted by Community Admin on 30-Oct-2013 00:00

Did you ever find a way to secure Files and documents?  I was just notified that people were able to google search and find our docuements and download them.  Very insecure.  I need a way to lock them down so only certain roles can access them.

Posted by Community Admin on 04-Nov-2013 00:00

Hello,

This can also be achieved using the events for media content in sitefintiy, refer to this documentation and the event IMediaContentDownloadingEvent which is fired when a document or other media has started download.
Here the event can handle download of specific files as in the event arguments all document/image/video data is present and the document can be checked as well as the current user and perform redirects to a registration page if needed.

Stanislav Velikov
Telerik

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 30-Aug-2016 00:00

Hello Stanislav. Thank you for your response to our questions. I see that your latest post on this was from November 2013. Is the IMediaContentDownloadingEvent still the best way to secure files accessed from password-protected pages on a Sitefinity website? The goal is to prevent users from copying/pasting the document URL into an email or another browser session, thereby bypassing the login requirement when the link is accessed from a secure page. Also of course, to prevent Google from indexing the files as Theordore mentioned.

 

Shelly Ryder

This thread is closed