ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hans Bakker <mailingl...@antwebsystems.com>
Subject Re: Digital downloads and security
Date Tue, 17 May 2011 05:03:54 GMT
If you make sure the link can only be accessed by loggedin users, and
the download is linked to an completed order, security should be fine?

On Mon, 2011-05-16 at 14:04 +0000, Esch, Guido wrote:
> Hi all,
> 
> 
> currently i'm struggling with the handling of digital download products. (Version is
1057550 but would guess we will merge to current trunk very soon again) The "normal" handling
works fine. Configuring the product, adding the content, buying, download using the "downloadDigitalProduct"
method works as intended.
> But in my system the contend is accessible using the "stream" url. (e.g. /content/control/stream?contentId=12231)
So if somebody knows ofbiz he might get access to all downloads by simply guessing the content
ids. There seems be a way using a custom genericContentPermission Service. But to be honest,
for something like digital downloads i would guess there is a standard mechanism like the
one in downloadDigitalProducts which protects this files in general, without writing a custom
permission service. (which i haven't discovered yet) But if its required to write a new one,
are there any suggestions to get this working an efficient way? I'm thinking of checking the
ProductContentType to make sure the digital downloads are not served using the stream. But
that sounds not very efficient to me. And it also leads to some leaks as soon as  the configuration
gets inconsistent. (For some reason the ProductContent is removed, but not the Content and
Resource entity.) Not more secure but although even slower, checking the OrderRoleAndProductContentInfo
to make the user has the permission to get this content, but even than, i have to ensure its
a digital download content. My last idea, adding a custom attribute to the content when creating
(uploading the file) the content. But that feels like a quick fix to me. Therefore i'm open
to any suggestions.
> 
> Best Regards,
> 
> Guido Esch
> 
> direkt gruppe
> 
> networks direkt GmbH
> Griegstra├če 75, Haus 2
> 22763 Hamburg
> Fon: +49 (40) 88155-0
> Fax: +49 (40) 88155-5200
> 
> mailto:Guido.Esch@direkt-gruppe.de
> www.direkt-gruppe.de
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ________________________________
> 
> Rechtliche Hinweise:
> 
> networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform.
(FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz
Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499
> 
> solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform.
Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 *
USt-IdNr. DE813614829
> 
> marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer
* Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217
* USt-IdNr. DE814956207
> 
> Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg
> 
> Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im
Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt
und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung,
Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des
Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst,
sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen.
> 
> This electronic mail transmission contains confidential information intended only for
the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal
privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited
without the consent of the sender. If this transmission has been received in error, you are
kindly requested to delete it from your system and to contact the sender immediately.

-- 
Ofbiz on twitter: http://twitter.com/apache_ofbiz
Myself on twitter: http://twitter.com/hansbak
Antwebsystems.com: Quality services for competitive rates.


Mime
View raw message