Gossamer Forum
Home : Products : DBMan SQL : Discussion :

download_file, view_file and authentication

Quote Reply
download_file, view_file and authentication
Hi

As far as I have seen, the download_file and view_file routines can be called via browser without authentification (with uid=default, please correct me if I'm wrong). If someone copies a complete download URL from a proxy logfile for example, it seems that you can download files without authentification (eaven if they belong to a record that should be viewable for authenticated users only).

https://www.domain.com/perl/dbsql/db.cgi?db=dbname&cn=downloadfield&do=download_file&id=XX&uid=default

I'd like to add some code to change this behaviour. Once I configure a database so that only logged in users can see db records, I would like to also restrict access to the downloadable files that are connected to the mentioned db records.

Thanks for your oppinion and for any kind of support
Shockedliver