I've been testing Alfresco for a few days but seem not to find a solution for this.
In Alfresco when an user uploads a file to a folder where it has the contributor role everything works nice, but he can delete that file. I want avoid that so I have defined a rule that takes the ownership of every file uploaded. The script is defined as
document.setOwner('admin');
This way the file can be deleted only by admin. If the rule is active the upload fails for everyother user. Does anybody know what it takes to take ownership of a file in that situation using a script?
I am using Alfresco 4.0a
Thanks.
I guess you can better do the following
document.setOwner("");
Because admin already has full authority in Alfresco.
Related
I've run into a problem using Moodle 3.2. I'm uploading mp3-files to be played in a quiz. I have the license to use those files for that specific purpose, but I am not the owner. Thus, I would like to ensure that nobody without a Moodle account can access these files.
However, the path to the files can be extracted from the source code and once you have the path, anybody can access the file. Is there any way to protect the file so only registered users can access it, even if they have the direct path?
Thank you so much!
All the best
Dom
EDIT: I've learned that files actually are encrypted by login - I just had the login cookie remaining in several browsers and thus was able to access them.
Are the files served by moodleinstallation/pluginfile.php/? This would include login/permission checks
I am building a notes functionality with attachments in it, I have been using Meteor Uploads for file uploading. Everything works fine except for permissions. I have searched almost everything related to this but somehow I can not find a full example neither a clear answer.
There is an event shown below which is supposed to handle permission checks, but this does not run in fibre, so you have no access to collections and UserId
validateRequest: function (req, resp) {
}
There are two issues I am trying to solve:
Allow only the users that have permission to post notes, to be able to upload files.
A way to provide more secure file accessing
The first one would not exist as an issue if there was a way to call file start upload in server(As far as I know/tried it is only called in client).
Uploader.startUpload.call(Template.instance(), e);
I have made some security checks before uploading file(calling a server method) but that is in client. I have also added a cookie after opening the page which I then validate in server in order to make files not accessible out of app.
I have also read that permissions can be achieved by using tokens/secret keys as mentioned here but could not find a proper example.
PLEASE NOTE
Maybe the first issue is not a real issue in my scenario because I have permission checks when showing Note post ability but I wanted to know what is a good approach I could take.
Most important issue I believe is the second one regarding file access, what is a proper way to serve files based on User permission? Also a good way to encrypt uploading file's name so that users do not access files by guessing the file name might be helpful.
Thank you guys!
i know that people couldn't say that this is trivial, but i have search for days in internet and can not be able to do this.
i am using visual studio 2010 ultimate and have created my setup with setup and deployment of vs 2010.the problem is that i have an application folder which contains my database and which is deployed with my application. When i deploy it in administrator part of computer, all is correct, i devined that it is due to fullcontrol permission of administrator programfiles folder.But when i deploy it in another account, application don't has access to database for writting. i looked for the web site and understood that this is due to programfiles folder permission for others users.So i decide to do another research in order to give more rights to users for this folder.
I finally understood that i can achieve this with authoring tools like robocopy by using custom action or with a command line by just correctly write my custom action. After more researchs, i understood that i can do it with a command line which use robocopy and give folder permission during installation for this custom action or only with custom action.
for custom action, i tried many links, but the best link that i obtained was (How to give Read/Write permissions to a Folder during installation using .NET) without success (i change /folder="[CommonAppDataFolder][ProductName] with /folder="[CommonAppDataFolder][Manufacturer][ProductName] in customactiondata" due to the fact that product name is in my manufacturer folder").i don't understand why this code don't change folder permissions during installing and don't know how i can use robocopy or icalcs in custom action to change folder permissions during installation. my setup and others requirements have been packaged with dotnetInstaller, i dont know if i can be able to continue use it.
please, i greatly need your help to be able to do this
i have solved the problem. After many trying, i understood that i was giving permission to the wrong folder because my documents and database were contained in programfile folder. after understand this, i only change the place to set permission by :/folder="[ProgramFilesFolder][Manufacturer][ProductName]" and permission have been setted.
I have a rule on a folder which executes a JavaScript code whenever a new document enters the folder. The issue is the rule doesn't run automatically when a document enters the folder, but I have to run it manually.
I have tried running the script in background too. If I put a rule on update, that works automatically. The problem is with creation or entering of new documents in the folder. I am using Alfresco community 4.2.f share.
Please advise.
Thanks.
I cannot recreate this problem in Alfresco Community Edition 4.2.f. Make sure that:
All of the rules are enabled
The person putting the document in folder1 has permissions to create new documents in Folder 2.
The criteria for the rules are valid
The script in Folder 2 is not actually running. The best way to validate this is by turning on the server-side JavaScript debugger by editing $TOMCAT_HOME/webapps/alfresco/WEB-INF/classes/log4j.properties and setting log4j.logger.org.alfresco.repo.web.scripts.AlfrescoRhinoScriptDebugger=on
Alternatively, for #4, you could change to an out-of-the-box action, like another Move that would move the document to Folder 3. That's what my test does. If that works for you like it does for me, you would be able to narrow down your troubleshooting to a problem with the custom script.
when running scripts fired by rules you can't rely on search for the new doc since indexing isn't finished when the script runs. If SOLR is configured as search engine, indexing is executed async from outside the repository every 15 secs. You already may know that you can get the name from the script node?
In my asp.net website, users can upload multiple files, which reside in 'upload' folder on server's hard drive. I am saving the files by renaming them with username + original file name
Example : if I upload file 'user.text' and my code is 1000, then the file will be saved in upload folder with name '1000_user.Text'. This is for identification of file against a particular user.
Now, when admin logs in application and selects a user, he should be able to see all files uploaded by him/her. Files should be in downloadable format to him.
How can I achieve the same? I have totally no idea, how to go for it ?
This is not how you ask a question on SO. Anyway already a piece of advice :
Store your files OUTSIDE of the webroot, and use a script in your website to get the files and render it to the user. This is for security reason : if someone manages to upload a malicious file, you don't want him to be able to execute it from the web.
Store file info and upload info in a database : who uploaded what and when ? Relying on file name isn't a good idea. You could also store the file in the database eventually (as a BLOB), but I prefer the good old filesystem
I can suggest you couple of ways based on feasibility. Approach 1 - If you can make database changes, when user is uploading a file you should save dynamically generated filename against the user in database. This way when admin logs in and wants to see all the files uploaded by user, you just need to make a database query and show them in a grid. When user clicks on the file name, you can fetch the file from harddisk and allow it to download to admin.
If database change is not feasible, your task will be more difficult. You will have to query in your directory with username in all the files. You can make use of LINQ to make this task little easier to you. Once you have got all the list, show it to admin.
I would recommend you to save metadata about the file on the database (like original file name and username). Then you could use this metadata to find the files that the user have uploaded. Give the files a file name on disk that is based on a unique ID in the database table. That way a user can upload several files with the same name. Make sure that this folder is not located within you application so that they are accessible with a url for security reasons.
The most recommended way to achieve this is to use a database, it is same as a module of Gallery where a user has albums and some pictures in albums. Admin can view each user's album and pictures in the album. you have to introduce two tables in your database. I having the category information of files being uploaded (master table) and other table having the info about the files itself (details table).
The other way is to create a hierarchal folder directory for each user for file categories in your application and then recursively read the directories and fields and then list them up to show them to application users. this would be costly i guess when number of files will increase.