Protected files website

[vchris]

I'm developing this site which will have a couple different logins. These logins will belong to a certain group or province I should say. So for example, the province of Ontario (canada) will login using their login and should only be able to see their documents (webpage, excel, word, powerpoint...) same goes for other provinces and groups. A group or province should not be able to access another ones files. The problem I have with this is if someone knows the url of the excel spreadsheet, what's stopping that person to type it in and open a file that he's not supposed to have access to? So is there a way I can protect these files from being opened just by putting the url in? I am kinda limited with web server settings, is there something I can do with ColdFusion?

[zppblood]

Stick the files outside of the web root directory. I don't know much Coldfusion, but since you know PHP I will try to explain it that way. Just include() the file with the appropriate content-type header.

[vchris]

Stick the files outside of the web root directory. I don't know much Coldfusion, but since you know PHP I will try to explain it that way. Just include() the file with the appropriate content-type header.

Ok but by including it, will it look the same as if the user clicked a download link? There is no way to get the path of the included page?

[zppblood]

When you include the file, you have to supply the appropriate header for it, otherwise it will show the code of the file which isn't pretty. If you include the file, it will either allow them to download as if they clicked a link or embed it in the browser like you would see for example pdf files. They can't type a URL to get to the file that is outside the web root (this would be a huge security risk if all the files on your server was available on the web).

[vchris]

I have the word doc displaying except it's not really readable. There's a bunch of weird characters. I used cfinclude to display the file but I don't have any header type to supply... The thing is I want the users to be able to download it just like a direct link to the doc not just displaying the doc.I'm looking for a solution to displaying the doc correctly...

[zppblood]

From php.net with the header function.If you want the user to be prompted to save the data you are sending, such as a generated PDF file, you can use the » Content-Disposition header to supply a recommended filename and force the browser to display the save dialog.

<?php// We'll be outputting a PDFheader('Content-type: application/pdf');// It will be called downloaded.pdfheader('Content-Disposition: attachment; filename="downloaded.pdf"');// The PDF source is in original.pdfreadfile('original.pdf');?>

[vchris]

I have no idea how to do this in CF...

[zppblood]

Do you know how to work with headers in Coldfusion? If you know how to send your own, just copy and paste what is between header( and ) and replacing the names of the file and application/pdf to whatever the mime type is for the file you chose to use, and just include the file.

[Skemcin]

vchris - sorry I've been really busy at work but I can help you with this. First, mma_fighter123's approach is on point. In ColdFusion, the best way to do this is to use <cffile> to "read" the file. Set the contents of the file to a variable using <cfsavecontent>. Then you do as mma_fighter123 suggest and use

<cfheader name="Content-Type" value="application/msword"/><cfheader name="Content-Disposition" value="inline; filename=""#your_desired_filename#"""/><cfheader name="Content-Description" value="#your_cffile_content#"/><cfoutput>#content#</cfoutput>

* if any client is using Windows Vista you have another work around since Word has a new mime type in that OS. Can't think of it off the top of my head but should be able to Google it.

[vchris]

ok so cfheader will load the doc, but will it load the application in the browser or will it ask to download? So the content-type needs to be set accordingly each time right? I can open pdf, word, excel, zips...? I want users to be asked to download each time if possible. I don't want to content of the file to be read and then displayed on the webpage without the app.

[Skemcin]

Well, the application that loads the file is dependent upon how each individual user's browser MIME file types are configured. You, as a developer, have limited control over how the client actually handles the request they make. If you dynamically deliver the file (pdf, doc, xls, etc.) then all you can do is tell the browser what it is (other than HTML, XML, etc.). If the browser has "msword" defined to use Photoshop (for some reason) you can't do anything about that. All you can do is deliver the content with the correct MIME type and then wash your hands.After looking it over and finally getting a second to work an example - its even easier that what I posted before:

<cfset myFile="[physical path to your file]" /><cfheader name="Content-Disposition" value="inline; filename=myfile.doc" /><cfcontent type="application/msword" file="#myFile#" />

having said that, I have (somewhere I will find it) a function that you would run #myFile# in that will return the mime type to use in your <cfcontent> tag.I'll post it when I find it...

[vchris]

Thanks I'll try that probably tomorrow. I'll let you know.Wouldn't the function be just a bunch of cases?case "doc":case "xls":...

[aspnetguy]

or a series of if else if you prefer

[Skemcin]

Yes. In this situation you could use:

• <cfif><cfelseif><cfelse></cfif>
• <cfswitch><cfcase></cfcase><cfdefaultcase></cfdefaultcase></cfswitch>
• or all that in <cfscript>

The example I have to (still) track down uses <cfscript>. Generally, if you are evaluating a variable, <cfswitch> is best since it is assumed (in your logic) that ColdFusion already knows the variable. So ColdFusion will only process up until the <cfase> is found - a slight performance benefit.If you are going to use the isDEFINED("") function, then you have to use <cfif> or <cfscript>. If the situation you are dealing with has only a couple conditions, then <cfif> is fine. If your situation is rather involved or lengthy, then you will have a marginal performance benefit using <cfscript> since ColdFusion doesn't need to process the actual tags.In any case, you are correct, the function is merely a slue of conditions that accommodate the various file types. The reason why you might want to use it (ince I get a second to find it) is that there are tons of MIME extensions that would be helpful to throw in there to avoid errors or mis-associated application types.

[vchris]

I rarely, if ever, used <cfscript>. Is it handled by javascript?

[vchris]

I've been playing with your script skemcin and I download the file, it's great, except that the file I download is blank. If I create a test.doc file with "This is a test document" in it. After downloading I got nothing same with other 4mb docs.

[Skemcin]

I rarely, if ever, used <cfscript>. Is it handled by javascript?

No. Javascript is client side, <cfscript> is stilll server side. It is basically the raw format of the commands that ColdFusion executes. ColdFusion just developed its own internal functions that essentially parse the tags from typical ColdFusion code to get to the nit-n-gritty. Some argue that it is easier to read in certain circumstances. Essentially, the two blocks of code below are the same - the <cfscript> code runs a fraction faster since ColdFusion doesn't have to parse the actual <cf> jargon:

<cfset thcolor="##E4F1F8"><cfset evenrow="##F7F7F7"><cfset darkline="##309ACF"><cfset lightline="##BEE3F3"><cfset fontfaces="Verdana,Arial"><cfset repRowTxtColor="##666666"><cfset repTtlTxtColor="##3398CC"><cfset reportTitle="text-align:left;font:#fontfaces#;font-weight:bold;font-size:14px;color:##3398CC;"><cfset reportSelectbox="text-align:left;font:#fontfaces#;font-weight:bold;font-size:12px;color:##3398CC;"><cfset reportDate="font:#fontfaces#;font-weight:bold;font-size:10px;color:##3398CC;"><cfset reportHeaderRow="font:#fontfaces#;font-size:11px;color:##3398CC;vertical-align:bottom;"><cfset reportRow="font:#fontfaces#;font-size:10px;color:##666666;vertical-align:middle;"><cfset reportSubText="text-align:left;font-weight:italics;font-size:10px;color:##666666;"><cfset reportSubTextNI="text-align:left;font:#fontfaces#;font-size:10px;color:##3398CC;"><cfset printoutRow="font:#fontfaces#;font-size:10px;color:##666666;line-height:16px;vertical-align:bottom;">

is the same as

<cfscript>thcolor="##E4F1F8";evenrow="##F7F7F7";darkline="##309ACF";lightline="##BEE3F3";fontfaces="Verdana,Arial";repRowTxtColor="##666666";repTtlTxtColor="##3398CC";reportTitle="text-align:left;font:#fontfaces#;font-weight:bold;font-size:14px;color:##3398CC;";reportSelectbox="text-align:left;font:#fontfaces#;font-weight:bold;font-size:12px;color:##3398CC;";reportDate="font:#fontfaces#;font-weight:bold;font-size:10px;color:##3398CC;";reportHeaderRow="font:#fontfaces#;font-size:11px;color:##3398CC;vertical-align:bottom;";reportRow="font:#fontfaces#;font-size:10px;color:##666666;vertical-align:middle;";reportSubText="text-align:left;font-weight:italics;font-size:10px;color:##666666;";reportSubTextNI="text-align:left;font:#fontfaces#;font-size:10px;color:##3398CC;";printoutRow="font:#fontfaces#;font-size:10px;color:##666666;line-height:16px;vertical-align:bottom;";</cfscript>

:lol:I've been playing with your script skemcin and I download the file, it's great, except that the file I download is blank. If I create a test.doc file with "This is a test document" in it. After downloading I got nothing same with other 4mb docs.

hmmm - I tested this on my localhost where the physical path was c:\temp\my924brochure.pdf with my web application in c:\inetpub\wwwroot\getdoc\ and I didn't have any issues. I am running IIS6 and ColdFusion 8 Developer License on this PC.I'll look into this after lunch (got a couple "critical issues" delivered to me).

[vchris]

I guess this has to do with the path to the docs being incorrect or something? I used relative paths (../../test.doc) since I don't know the absolute path from the drive.

[Skemcin]

and that worked?ColdFusion (at least before CF8) always needed the full absolute path whenever the physical path was required. I think CF8 can do either one. The relative path is always the web site relative path, never the physical server path (for security reasons).

[vchris]

using ../../test.doc didn't work. It is the correct path. I can probably find out in which drive I am and use absolute path.

[Skemcin]

To find the current location of the file, you can do this:#cgi.CF_TEMPLATE_PATH#or#cgi.PATH_TRANSLATED#to which you can:#replace(cgi.CF_TEMPLATE_PATH,"#cgi.SCRIPT_NAME#","[your file name]","all")#You will need to use the absolute physical path.

[vchris]

It works. Did you find that script about the mime types?

[Skemcin]

I looked the other day and again today, and I can't find what I was hoping for - nothing that will save you any length of time anyway.I'll look at home again, but I'm sorry if I can't locate it.

[vchris]

No worries I built my own. It's working great.Is there any way I can know if a file is not found? I got it working with the querystring right now (?myFile=test.doc). If someone were to manually enter ?myFile=testd.doc it'll still try to download but could I have a message say file not found instead of downloading a blank doc?

[Skemcin]

Use the FileExists() function with a <cfif> statement.

<cftry><cfif fileexists(#yourfilesphysicalpath#)>what you want to do if it is there<cfelse>what you want to do if the file is not found</cfif><cfcatch type="any">What you do if any type of error occurs in the process.</cfcatch></cftry>