I hope you can give me some advice about membership and images.
Which is the best way to secure images so that only the authorised users can retrieve them?
The scenario:
I own a website on which users can enter and publish their wishlist(s). The owner of the wishlist has a username/password, and family&friends have a username/password (family&friends all share exactly 1 username/password)
Now I want to give the owner the opportunity to upload an image which will be used as a background image for the wishlist. This may be a personal image, so I want only the concerning owner and family&friends to be able to see that image. I don't want other users (and people not logged in) to be able to see this image, even if they try to hack it.
To be more specific, if I decide to store jpg-files in a folder, everyone can easily retrieve it like https://pbs.twimg.com/media/B4VBJc6CEAAFSKf.jpg
I can put it in a folder which only logged in users can access, but then all logged in users can access it, and I only want to grant the owner and the family-and-friends-user. Can I secure the image file?
So, my question is: Which is the best way to secure images so that only the authorised users can retrieve them?
I use:
ASP.NET,
SQL Server,
ASP standard membership
Only the concerning owner and family&friends to be able to see that
image. I don't want other users (and people not logged in) to be able
to see this image.
I assume you are using ASP.Net Web Form. If so, you want to look at a generic image handler.
To be more specific, if I decide to store jpg-files in a folder,
everyone can easily retrieve it
You should not store images in publicly available folder. In other words, it should be restricted to public access. For example, App_Data folder.
User can only access those images via Image Handler.
Inside the Image Handle, check whether user is authorized. If not authorized, return 404.
If authorized, you can use either BinaryWrite or TransmitFile (if image is stored in file system).
Related
I have a Flutter app where most of the users should never log in. I also use this same app for a small selection of users that I personally manage and would like to allow them to create a Firebase account, preferably just with by giving them a password to access the account creation page. Ideally I don't want just anyone to be able to create an account, only those who I have personally given access to. Is there a way I could password protect the account creation page so that only those with access to the password could create an account? Perhaps there is another way to do this? Ideally, I'm not looking to get into a situation where anyone can create an account and then downstream I have to authorize that account so that it has the correct access. I really just want only those with the access upstream to be able to create the account. Perhaps this is not logical but this seems to make more sense than letting accounts be created by anyone and then approved by me after the fact. So my question really is, how do I password protect a page in flutter? Or is this just a bad idea and should I work to manage things downstream? Or is there another solution I have yet to consider?
Have you considered using something like a dynamic link that navigates to the specified page in the app when clicked. firebase_dynamic_links might be of help. Only those who have the link will be able to access it and I presume that you could manage the link actions from the Firebase console.
You could also opt for simplicity and create a password field that pops up before your account creation page
I'd like to start a website that provides users with photos editing/storing experience. The initial idea is that the user has his own account where we store the edited photos and some settings. I'm am a WordPress web developer and when I try to consider how to build such a website in WordPress I don't really understand how to provide such a services without having access to user photos. My idea was to create a custom post type and save it with the user as an author. But as an admin of the website, I will have access to all the created/saved photos and I would like to build it in a way that I don't have it. Is it possible?
I've used previously the app to write a diary that saved the data to my Google Drive and if I understand correctly, it never had access to my files.
So my question is: what are the best practices to build such a resource? Is it normal to have access to all of your user photos if you provide such a platform?
In your case, as you will use WordPress and you are the developer you will always have access to the data of everything.
You will always have a way of knowing which data is from user or which data belongs to another user.
You have two options to do this, but this will take some development work:
1 - You must recreate the way WordPress works where the user is not related to an email and not private data that can relate to the user.
Example: You ask the user to register only that only asks for a hash that can be any word, number, or any other information and a second field would be the password.
With this in the backend you get this two information and do some kind of hash I'll give the example using md5 but do not use it.
After that join these two data and this will be the user.
and to login the user needs to repeat this information and will be within the platform. With this you will be able to maintain the anonymity of the user and will not know who the user is.
In this option you will have for each hash and password a different user :)
But I recommend not using wordpress if you choose this option. You can use a framework like CodeIgniter for example which is super simple.
2 - The second way would be to use the normal wp User, not worrying about who the user is and their information. But one way to keep photo information "anonymous" is to generate a unique hash with each user and have some way of relating the user to it.
Example: When uploading a file to edit it will generate a passkey, you must warn the user that when they want to edit this photo or view they will need to type it into an input. With this you will not know which information is from which user. but it requires extra work for the user
This way you will always have anonymity of user information. I hope I helped you somehow.
I have one requirement like I want to hide the data (lists/libraries/documents) to the users which are forms based authenticated. Windows users can add the data into sharepoint lists. Forms based authenticated users only able to see when ever windows authenticated users give the permission. I thought to create one group for the forms based authentication, but we cannot hide data from them, so this will not work. How to do this ? I am thinking on this, but not able to find the solution.
Any one has any idea?
New Addition:
Actually, there should be two urls (say URL1, URL2) for the same site which we can configure in the alternate access mapping. Only one url (URL2) should be exposed to external users. So, when ever any external user login(Forms user) then we have to show the content which is given access by windows authenticated user. Means when windows users add some content to the URL1 and the give permission for the form authentication users then that content should appear in URL2. By default the content added in the URL1 will be reflected to URL2. But here it should not happen.
Principally, there shouldn't be a problem duplicating your site, and modifying the copy to be more limited than the original.
If both sites are on the same site collection, you can configure them to use the same lists/document libraries.
After you do that, it's simply a matter of configuring AAM to present one site outside, and one inside.
I am going to create a website which in that, users can create their own album of pictures and upload them on the website. I am going to use ASP.NET (C#) to develop this website.
Each user only has access to the set of images which is dedicated to that user no shared items are permitted, so users should have their own username and password and log in before getting to their album.
So I have 2 question, where should pictures get stored to have prefect access control and restriction.
What is the best secure way to authenticate users?
Simply upload that file, and add a record that represents the user's UserId, and the path to the image.
Or you can upload directly to Sql Server 2008's (can you use that) FileStream object to store the images - and still have a record that links it to the user's UserId
To authenticate users just use the MembershipProvider. They will have a user id associated with their login. That becomes your key to look up the images.
You can get their name or user id in different ways. See:
How can I access UserId in ASP.NET Membership without using Membership.GetUser()?
for more details on getting the Id (via ProviderUserKey)
On Drupal 6 I am attaching a file to a node. This can be done using the core upload module or as a CCK field (What ever will achieve the permissions issue).
I would like anonymous users to be able to see the file, but once they click on it to be prompted to login or register. Once logged in (or registered) then to be taken to either the same page they started on or start the download.
Not really sure where to start on this (related to the permissions and then the eventual redirect).
One method that i would do is in the template files detect if there is a userid variable (To indicate they are logged in), if there is show the link to the file - if they are not then to send to the login/registration page. I can store the link they wanted in the user session. But then how would i detect their registration is complete and redirect them to the page/file?
Ideally there is a module (which I am still hunting around for) that does this task!
Basically, you just need to set the destination parameter, this works for the basic login/registration form. If you however require something like email confirmation for registration, then it's going to be a lot more complicated.
Example Links:
user/login?destination=download_url
user/register?destination=download_url
There is also an API function that will automatically generate the destination part for the current URL: http://api.drupal.org/api/drupal/includes--common.inc/function/drupal_get_destination/7.