Make IIS site files uploaded only viewable by auth. users - authentication

We have a website which will be public facing, www.mywebsite.com, it will go to a login screen for all employees to login where all credentials and users are authenicated by what is in MS SQL.
when they upload a file it will be saved into a folder with a filepath, www.mywebsite.com/folder/myfile.pdf
Currently, anybody can take that url and copy/paste it into a browser and view the file. I do not want it to behave this way.
How can I lock down the files so only authenticated users that are logged into the website can view the files?

I'm afraid the only way to achieve this with pure IIS is create an FTP site instead. Then IIS user isolation will only people view these files uploaded by himself.
https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/ftpserver/userisolation/
The second way to achieve this with your web application is create a table in your MS SQL to record all uploaded file name and their upload users. Then only list files based on the user column. You might have to make some change in your application level.

Related

How to upload files to a folder using a specific user group login and password?

I am trying to develop an Access database that allows users to upload files to a folder on a shared drive. I have the code for doing this. However, I would like to not have anyone delete or edit files. For this, I have a folder with write permissions allowed only for one user group. Is there a way that I can upload a file using the login and password for the user group? This will ensure that the files are not edited by anyone else. Please share the code for doing this.
Thank you kindly!

upload files to any user's google drive after they authenticate

I want to upload files from my server to my users's google drive storage, after they authenticate, the questions are:
Is it possible to do that?
Do I have to re-authenticate the user every time they like to upload a new file?
Could I embed the uploaded MP4 files in my website? (using the html video source as the file's download link of the user's google drive account)
do I need to re-authenticate the user if they just want to see the embedded videos some time later, in other words, is there anyway I could save some sort of a Token so they don't keep doing that.
Is it possible to do that?
Yes
Do I have to re-authenticate the user every time they like to upload a new file?
No, store a refresh token for the user and they wont need to authenticate each time.
Could I embed the uploaded MP4 files in my website? (using the html video source as the file's download link of the user's google drive account)
I wouldn't recommend it google drive isn't really designed for hosting of files in this manner that and people would need access to the file to download it anyway, its a big can of worms.
do I need to re-authenticate the user if they just want to see the embedded videos some time later, in other words, is there anyway I could save some sort of a Token so they don't keep doing that.
Yes as mentioned if the files are uploaded to your drive account you own them. You would need to share the files with anyone that you want to have access to them. You could set the files to public but thats not the best way to go about this.
Reference
Using OAuth 2.0 to Access Google APIs

How to access BigCommerce internalapi?

I am trying to download (backup) images that customers upload for products that take custom logos (these are typically JPG, PNG, PDF, etc.) These customer files are downloadable by clicking on a hyperlink in the BigCommerce admin page for the order in question. The link is not a link to the image path but instead, a link to a service that sends the file to the browser. In other words, you have to be authenticated into the admin site to download the file. The URL looks like this:
https://mystore.com/internalapi/v1/orders/383945/products/251438/attributes/561518/download
https://mystore.com/internalapi/v1/orders/{order id}/products/{lineItem id}/attributes/{option id}/download
These are easily constructed in the API itself for a given order. If I use the link in a browser tab while I'm logged into the admin site, the file downloads.
But what I am trying to write an app to automatically download all the files (there are thousands). When I try to use this URL in an app, I get a authentication error. I tried at first using my regular API credentials but then used the credentials to log into the admin site. Both give me an authentication error.
I could not find anything documented on this so-called "internalapi." Anyone ever try to use this "internal" API that is used by the admin site?
I believe authentication is cookie based for that internal API, but there could be problems with using our non-publicly documented internal APIs in production, i.e. we may make future updates that would be breaking changes.
Images attached to orders through a file upload option also get copied to WebDAV, in the dav/product_images/configured_products folder. Another way to do this could be to use a WebDAV client library like easywebdav to connect and download the files.

Web Server for Upload files

I have a requirement where I want HTML FTP to be accessed by AD users. When users prompted to supply their AD credentials, the IIS/FTP should mapped them directly to their folders. What I want is, an HTML "Form" page/website when its accessed from internal/external it will prompt and users will supply AD credentials. Based on the permission set on the folders users will access only their folder and will upload to their folder only. The Upload as a Browse Button which will allow them to upload specified documents to their folder only. So, When they log into their computer at work they will be able to see what has been uploaded and will be able to open that document directly.
This is actually for Part Time Lectures, currently all the shared we have on a Windows 2008 R2 and permission set based on AD.
Is this doable via HTML or any other code or FTP itself. Even third party software which will be fine too.
It might be worth taking a look at plupload - depending on your usage, you might need to pay licensing: http://www.plupload.com

can I ftp-upload a file from my web page?

Is there a client or plugin that allows me to put a frame/upload field on my web site that will let my users upload files to my ftp server without an ftp client software of their own? Preferrably one where I can pre-configure the ftp username/password automatically (from data I have stored about the logged-in user)?
In a digital signage solution we let users upload video files to their account, and currently have the solution of uploading via ftp (the file is then renamed and moved, users can NOT use this feature to share video files. Furthermore it is solely about videos they themselves made, no license breakage. Just as a disclaimer =)
try third-party software like uploadify, or a service like http://www.net2ftp.com/ which can be somewhat integrated with php.