Hi
As far as I have seen, the download_file and view_file routines can be called via browser without authentification (with uid=default, please correct me if I'm wrong). If someone copies a complete download URL from a proxy logfile for example, it seems that you can download files without authentification (eaven if they belong to a record that should be viewable for authenticated users only).
https://www.domain.com/perl/dbsql/db.cgi?db=dbname&cn=downloadfield&do=download_file&id=XX&uid=default
I'd like to add some code to change this behaviour. Once I configure a database so that only logged in users can see db records, I would like to also restrict access to the downloadable files that are connected to the mentioned db records.
Thanks for your oppinion and for any kind of support
liver
As far as I have seen, the download_file and view_file routines can be called via browser without authentification (with uid=default, please correct me if I'm wrong). If someone copies a complete download URL from a proxy logfile for example, it seems that you can download files without authentification (eaven if they belong to a record that should be viewable for authenticated users only).
https://www.domain.com/perl/dbsql/db.cgi?db=dbname&cn=downloadfield&do=download_file&id=XX&uid=default
I'd like to add some code to change this behaviour. Once I configure a database so that only logged in users can see db records, I would like to also restrict access to the downloadable files that are connected to the mentioned db records.
Thanks for your oppinion and for any kind of support
liver 
download_file, view_file and authentication