I'm not sure what I want to do is possible in the method I want to do it, so here goes.

I have a directory of documents that I only want to serve to those who have logged in and authenticated and have a certain privilege level set at login. I can use this technique to show and hide a menu item or even a page listing the documents. However, someone could still guess the document name and path and snag stuff. Is there a way around this?

I used to do .htaccess files but I'm striving for a single login system where staff login once and have access to "hidden" parts of the website.


Thanks.


Patrick

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

I think what some folks have done is to store those documents outside of the web root, and then use Lasso to provide access to them. After proper authentication, Lasso could file->stream a file that is in that outside directory, but a user couldn't try and guess and download other documents because the directory is not available via the web.

I haven't implemented this, but I believe that's the approach.

....Doug

On Jul 9, 2012, at 9:28 AM, Patrick Larkin wrote:

>
> I'm not sure what I want to do is possible in the method I want to do it, so here goes.
>
> I have a directory of documents that I only want to serve to those who have logged in and authenticated and have a certain privilege level set at login. I can use this technique to show and hide a menu item or even a page listing the documents. However, someone could still guess the document name and path and snag stuff. Is there a way around this?
>
> I used to do .htaccess files but I'm striving for a single login system where staff login once and have access to "hidden" parts of the website.
>
>
> Thanks.
>
>
> Patrick
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>


---
Doug Gentry
Dynapolis & Southern Oregon University
p: 541-261-8501
doug@dynapolis.com
www.dynapolis.com - blog: www.plain-sense.com



#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

Are these documents html? or pdf/images etc other assets?

If html, i'd assume you would use the same authentication as the rest of your site to make sure they cannot load a page that they are not authorized for. If the files are other non-html assets, you may want to move them outside the webroot so that they are not available from the website url in any way. Then you will need to link or serve them via lasso when needed.

Tim Taplin

On Jul 9, 2012, at 10:28 AM, Patrick Larkin wrote:

>
> I'm not sure what I want to do is possible in the method I want to do it, so here goes.
>
> I have a directory of documents that I only want to serve to those who have logged in and authenticated and have a certain privilege level set at login. I can use this technique to show and hide a menu item or even a page listing the documents. However, someone could still guess the document name and path and snag stuff. Is there a way around this?
>
> I used to do .htaccess files but I'm striving for a single login system where staff login once and have access to "hidden" parts of the website.
>
>
> Thanks.
>
>
> Patrick
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

There's a few ways of doing it =97 one use tokens my be a good idea. ie.

www.domain.com/get/document?ref ea07a4b6-c494-4b0e-a825-efb43e3356e1


1. When the user's authenticated generate and store the token and the file
it references.
2. When the user clicks the link, check security etc, then look up the file
and serve via Lasso ie.

// L8.x
local('file_data' file('//outside/of/root/securename.txt')->readbytes);
file_serve('//outside/of/root/securename.txt',-file 'friendlyname.txt',
-type 'text/plain', -disposition 'attachment');

// L9
local(file_data file('//outside/of/root/securename.txt')->readbytes)
web_response->sendfile(#file_data, 'friendlyname.txt', -type 'text/plain',
-disposition 'attachment')


3. Kill the token.

You'll need to make sure that Lasso has read access to: //outside/of/root =97
or where ever you want to store your secure files.

Ke


On 10 July 2012 15:50, Patrick Larkin <plarkin@beth.k12.pa.us> wrote:
>
> Yes, they are PDF, Word, and Excel files.
>
> How would I link them using Lasso from outside the web root (in general
terms)?
>
> Patrick Larkin
> Developer/Administrator of Special Systems / Webmaster
> Bethlehem Area School District
>
#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

Hi Patrick,

I do this on my sites. Just make a directory above the html root to hold them in and then do something like below:

protect;
file_stream(-file='///chroot/whatever/myfile.pdf', -Name='uCanEvenRenameIt.pdf');
/protect;



Todd


#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

How do you call that code? Do you create a file like the one below for every document?

Or do you do something like this:

<a href="MyFileServer.lasso?document=12">Document 12</a>


MyFileServer.lasso:

inline(
-database='myDB',
-table='myDocs',
'id'=(action_param('document')),
-search]

var:'filename'=field('filename');

/inline;

protect;
file_stream(-file='///chroot/whatever/' + $filename, -Name='uCanEvenRenameIt.pdf');
/protect;





Patrick Larkin
Developer/Administrator of Special Systems / Webmaster
Bethlehem Area School District




On Jul 10, 2012, at 12:22 PM, Todd Vainisi wrote:

> Hi Patrick,
>
> I do this on my sites. Just make a directory above the html root to hold them in and then do something like below:
>
> protect;
> file_stream(-file='///chroot/whatever/myfile.pdf', -Name='uCanEvenRenameIt.pdf');
> /protect;
>
>
>
> Todd
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

Yep - that's how I'd do it. And you could play around with the behavior of various target="_blank" settings in terms of leaving the user on a useful page.

The other piece implied here is that myfileserver.lasso would not run without some kind of authentication. You wouldn't want someone to be able to just type in the URL and make up document IDs. Even an authenticated user should not be able to reuse the link and troll for other docs. You also wouldn't want easy-to-guess IDs.

....Doug

On Jul 11, 2012, at 6:54 AM, Patrick Larkin wrote:

> How do you call that code? Do you create a file like the one below for every document?
>
> Or do you do something like this:
>
> <a href="MyFileServer.lasso?document=12">Document 12</a>
>
>
> MyFileServer.lasso:
>
> inline(
> -database='myDB',
> -table='myDocs',
> 'id'=(action_param('document')),
> -search]
>
> var:'filename'=field('filename');
>
> /inline;
>
> protect;
> file_stream(-file='///chroot/whatever/' + $filename, -Name='uCanEvenRenameIt.pdf');
> /protect;
>
>
>
>
>
> Patrick Larkin
> Developer/Administrator of Special Systems / Webmaster
> Bethlehem Area School District
>
>
>
>
> On Jul 10, 2012, at 12:22 PM, Todd Vainisi wrote:
>
>> Hi Patrick,
>>
>> I do this on my sites. Just make a directory above the html root to hold them in and then do something like below:
>>
>> protect;
>> file_stream(-file='///chroot/whatever/myfile.pdf', -Name='uCanEvenRenameIt.pdf');
>> /protect;
>>
>>
>>
>> Todd
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> Lasso@lists.lassosoft.com
>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>


---
Doug Gentry
Dynapolis & Southern Oregon University
p: 541-261-8501
doug@dynapolis.com
www.dynapolis.com - blog: www.plain-sense.com



#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

I was thinking I'd look at their session before I even presented a listing and send them to the login screen if not validated.

As for the second concern, that's a concern of mine as well. But I don't really know how to deal with it.

I think .htaccess files may be a lot easier. :)


On Jul 11, 2012, at 10:59 AM, Doug Gentry wrote:

> Yep - that's how I'd do it. And you could play around with the behavior of various target="_blank" settings in terms of leaving the user on a useful page.
>
> The other piece implied here is that myfileserver.lasso would not run without some kind of authentication. You wouldn't want someone to be able to just type in the URL and make up document IDs. Even an authenticated user should not be able to reuse the link and troll for other docs. You also wouldn't want easy-to-guess IDs.
>
> ...Doug
>
> On Jul 11, 2012, at 6:54 AM, Patrick Larkin wrote:
>
>> How do you call that code? Do you create a file like the one below for every document?
>>
>> Or do you do something like this:
>>
>> <a href="MyFileServer.lasso?document=12">Document 12</a>
>>
>>
>> MyFileServer.lasso:
>>
>> inline(
>> -database='myDB',
>> -table='myDocs',
>> 'id'=(action_param('document')),
>> -search]
>>
>> var:'filename'=field('filename');
>>
>> /inline;
>>
>> protect;
>> file_stream(-file='///chroot/whatever/' + $filename, -Name='uCanEvenRenameIt.pdf');
>> /protect;
>>
>>
>>
>>
>>
>> Patrick Larkin
>> Developer/Administrator of Special Systems / Webmaster
>> Bethlehem Area School District
>>
>>
>>
>>
>> On Jul 10, 2012, at 12:22 PM, Todd Vainisi wrote:
>>
>>> Hi Patrick,
>>>
>>> I do this on my sites. Just make a directory above the html root to hold them in and then do something like below:
>>>
>>> protect;
>>> file_stream(-file='///chroot/whatever/myfile.pdf', -Name='uCanEvenRenameIt.pdf');
>>> /protect;
>>>
>>>
>>>
>>> Todd
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> Lasso@lists.lassosoft.com
>>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> Lasso@lists.lassosoft.com
>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>
>
> ---
> Doug Gentry
> Dynapolis & Southern Oregon University
> p: 541-261-8501
> doug@dynapolis.com
> www.dynapolis.com - blog: www.plain-sense.com
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

Hmm -

So the document info is stored in a table. When you store it, a unique ID doesn't have to be a sequential number. It could be lasso_uniqueid (?) or something else. Then a curious authenticated user couldn't try to re-use the URL since they wouldn't be able to guess another ID.

.....Doug

On Jul 11, 2012, at 9:24 AM, Patrick Larkin wrote:

> I was thinking I'd look at their session before I even presented a listing and send them to the login screen if not validated.
>
> As for the second concern, that's a concern of mine as well. But I don't really know how to deal with it.
>
> I think .htaccess files may be a lot easier. :)
>
>
> On Jul 11, 2012, at 10:59 AM, Doug Gentry wrote:
>
>> Yep - that's how I'd do it. And you could play around with the behavior of various target="_blank" settings in terms of leaving the user on a useful page.
>>
>> The other piece implied here is that myfileserver.lasso would not run without some kind of authentication. You wouldn't want someone to be able to just type in the URL and make up document IDs. Even an authenticated user should not be able to reuse the link and troll for other docs. You also wouldn't want easy-to-guess IDs.
>>
>> ...Doug
>>
>> On Jul 11, 2012, at 6:54 AM, Patrick Larkin wrote:
>>
>>> How do you call that code? Do you create a file like the one below for every document?
>>>
>>> Or do you do something like this:
>>>
>>> <a href="MyFileServer.lasso?document=12">Document 12</a>
>>>
>>>
>>> MyFileServer.lasso:
>>>
>>> inline(
>>> -database='myDB',
>>> -table='myDocs',
>>> 'id'=(action_param('document')),
>>> -search]
>>>
>>> var:'filename'=field('filename');
>>>
>>> /inline;
>>>
>>> protect;
>>> file_stream(-file='///chroot/whatever/' + $filename, -Name='uCanEvenRenameIt.pdf');
>>> /protect;
>>>
>>>
>>>
>>>
>>>
>>> Patrick Larkin
>>> Developer/Administrator of Special Systems / Webmaster
>>> Bethlehem Area School District
>>>
>>>
>>>
>>>
>>> On Jul 10, 2012, at 12:22 PM, Todd Vainisi wrote:
>>>
>>>> Hi Patrick,
>>>>
>>>> I do this on my sites. Just make a directory above the html root to hold them in and then do something like below:
>>>>
>>>> protect;
>>>> file_stream(-file='///chroot/whatever/myfile.pdf', -Name='uCanEvenRenameIt.pdf');
>>>> /protect;
>>>>
>>>>
>>>>
>>>> Todd
>>>>
>>>>
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso
>>>> Lasso@lists.lassosoft.com
>>>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>>>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> Lasso@lists.lassosoft.com
>>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>>
>>
>> ---
>> Doug Gentry
>> Dynapolis & Southern Oregon University
>> p: 541-261-8501
>> doug@dynapolis.com
>> www.dynapolis.com - blog: www.plain-sense.com
>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> Lasso@lists.lassosoft.com
>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>


---
Doug Gentry
Dynapolis & Southern Oregon University
p: 541-261-8501
doug@dynapolis.com
www.dynapolis.com - blog: www.plain-sense.com



#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

I could use some sort of two way encryption to make a really long string out of the ID.

Currently, I don't have the filenames in a database or anything. I just have them in a directory with an .htaccess file and htpasswd file. No one gets anything out without authenticating first. I have to maintain the htpasswd file separately from the auth database, which is a hassle.



On Jul 11, 2012, at 12:27 PM, Doug Gentry wrote:

> Hmm -
>
> So the document info is stored in a table. When you store it, a unique ID doesn't have to be a sequential number. It could be lasso_uniqueid (?) or something else. Then a curious authenticated user couldn't try to re-use the URL since they wouldn't be able to guess another ID.
>
> ....Doug
>
> On Jul 11, 2012, at 9:24 AM, Patrick Larkin wrote:
>
>> I was thinking I'd look at their session before I even presented a listing and send them to the login screen if not validated.
>>
>> As for the second concern, that's a concern of mine as well. But I don't really know how to deal with it.
>>
>> I think .htaccess files may be a lot easier. :)
>>
>>
>> On Jul 11, 2012, at 10:59 AM, Doug Gentry wrote:
>>
>>> Yep - that's how I'd do it. And you could play around with the behavior of various target="_blank" settings in terms of leaving the user on a useful page.
>>>
>>> The other piece implied here is that myfileserver.lasso would not run without some kind of authentication. You wouldn't want someone to be able to just type in the URL and make up document IDs. Even an authenticated user should not be able to reuse the link and troll for other docs. You also wouldn't want easy-to-guess IDs.
>>>
>>> ...Doug
>>>
>>> On Jul 11, 2012, at 6:54 AM, Patrick Larkin wrote:
>>>
>>>> How do you call that code? Do you create a file like the one below for every document?
>>>>
>>>> Or do you do something like this:
>>>>
>>>> <a href="MyFileServer.lasso?document=12">Document 12</a>
>>>>
>>>>
>>>> MyFileServer.lasso:
>>>>
>>>> inline(
>>>> -database='myDB',
>>>> -table='myDocs',
>>>> 'id'=(action_param('document')),
>>>> -search]
>>>>
>>>> var:'filename'=field('filename');
>>>>
>>>> /inline;
>>>>
>>>> protect;
>>>> file_stream(-file='///chroot/whatever/' + $filename, -Name='uCanEvenRenameIt.pdf');
>>>> /protect;
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Patrick Larkin
>>>> Developer/Administrator of Special Systems / Webmaster
>>>> Bethlehem Area School District
>>>>
>>>>
>>>>
>>>>
>>>> On Jul 10, 2012, at 12:22 PM, Todd Vainisi wrote:
>>>>
>>>>> Hi Patrick,
>>>>>
>>>>> I do this on my sites. Just make a directory above the html root to hold them in and then do something like below:
>>>>>
>>>>> protect;
>>>>> file_stream(-file='///chroot/whatever/myfile.pdf', -Name='uCanEvenRenameIt.pdf');
>>>>> /protect;
>>>>>
>>>>>
>>>>>
>>>>> Todd
>>>>>
>>>>>
>>>>> #############################################################
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso
>>>>> Lasso@lists.lassosoft.com
>>>>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>>>>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>>>>>
>>>>
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso
>>>> Lasso@lists.lassosoft.com
>>>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>>>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>>>
>>>
>>> ---
>>> Doug Gentry
>>> Dynapolis & Southern Oregon University
>>> p: 541-261-8501
>>> doug@dynapolis.com
>>> www.dynapolis.com - blog: www.plain-sense.com
>>>
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> Lasso@lists.lassosoft.com
>>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> Lasso@lists.lassosoft.com
>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>
>
> ---
> Doug Gentry
> Dynapolis & Southern Oregon University
> p: 541-261-8501
> doug@dynapolis.com
> www.dynapolis.com - blog: www.plain-sense.com
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

> Currently, I don't have the filenames in a database or anything.

We use two tables - let's call them 'myfiles' and 'myfilesdata' (myfilesdta is used to hold a copy of the file in a database, but the file is normally served from the directory on the server, if the file exists there).

It would be relatively easy task for you to move a copy of the files you want to protect to a new directory (e.g. _files) and set apache to not allow access to that directory (Lasso will need permissions) Iterate through the files (using Lasso) and put an entry in the myfiles table, with applicable information, including the path to the file.... bingo, you now have a table with all your file information.

I have to prep for a meeting, but hopefully this assists you along the way.

Very best regards,

Rick




#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

> How do you call that code? Do you create a file like the one below for every document?
> Or do you do something like this: <a href="MyFileServer.lasso?document=12">Document 12</a>

You don't create a file for each document, just call it via a link as you showed... with my previous suggestion, use that iterate process to create a reasonable ID for each file, so you would do this based on your example...

<a href="MyFileServer.lasso?d=f38f8148-1d76-11e1-ab7d-001636071d1b">Document 12</a>

Very best regards,

Rick



#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

That would be great as I have an awful lot of files.




On Jul 11, 2012, at 3:03 PM, Rick Draper wrote:

>> Currently, I don't have the filenames in a database or anything.
>
> We use two tables - let's call them 'myfiles' and 'myfilesdata' (myfilesdta is used to hold a copy of the file in a database, but the file is normally served from the directory on the server, if the file exists there).
>
> It would be relatively easy task for you to move a copy of the files you want to protect to a new directory (e.g. _files) and set apache to not allow access to that directory (Lasso will need permissions) Iterate through the files (using Lasso) and put an entry in the myfiles table, with applicable information, including the path to the file.... bingo, you now have a table with all your file information.
>
> I have to prep for a meeting, but hopefully this assists you along the way.
>
> Very best regards,
>
> Rick
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

I've got a sort of working model now.

Something like:

var('out') = '<a href="MyFileServer.lasso?document=' + (encode_base64(encrypt_blowfish('1', -seed='foo'))) + '">Test Document</a>';

Looks up the real name in a table and uses Todd's tip on file_stream to send the file.

The only downside is that a PDF is sent to the users' downloads folder and not opened inline in the browser.

The big job now is to populate that database full of filenames and descriptions.

Also, I'm not sure about serving from outside the webroot. What is the proper syntax? Todd used:

-file='///chroot/whatever/myfile.pdf

As an example. If I'm using a standard MacOS X filesystem, would I write it like this? Do I need three slashes?

-file='///Library/Server/Web/MyProtectedDirectory/myfile.pdf

And then somehow set Lasso to be able to read it?



On Jul 11, 2012, at 3:10 PM, Rick Draper wrote:

>
>> How do you call that code? Do you create a file like the one below for every document?
>> Or do you do something like this: <a href="MyFileServer.lasso?document=12">Document 12</a>
>
> You don't create a file for each document, just call it via a link as you showed... with my previous suggestion, use that iterate process to create a reasonable ID for each file, so you would do this based on your example...
>
> <a href="MyFileServer.lasso?d=f38f8148-1d76-11e1-ab7d-001636071d1b">Document 12</a>
>
> Very best regards,
>
> Rick
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

This won't suit everyone, but it might assist with creating that initial table...

CREATE TABLE `myfiles` (
`seq` bigint(30) NOT NULL AUTO_INCREMENT,
` ref` varchar(20) CHARACTER SET utf8 DEFAULT NULL COMMENT 'Human friendly way of referring to files,
` type` varchar(60) CHARACTER SET utf8 DEFAULT NULL COMMENT 'for Lasso when serving like image/jpg',
` description` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
`source_filename` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
`local_filename` varchar(255) CHARACTER SET utf8 DEFAULT NULL COMMENT If stored as a different name to avoid spaces and high ASCII',
`local_path` varchar(255) CHARACTER SET utf8 DEFAULT NULL COMMENT 'Make sure it ends with a trailing slash and that it is relative',
`file_ext` varchar(10) CHARACTER SET utf8 DEFAULT NULL COMMENT 'no dot (,)',
`set` varchar(60) CHARACTER SET utf8 DEFAULT NULL COMMENT 'used when doing a batch upload, like using the java upload',
`file_date` date DEFAULT NULL,
`xid` varchar(60) CHARACTER SET utf8 DEFAULT NULL,
`to_display` char(1) CHARACTER SET utf8 DEFAULT 'Y',
`lock` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
`last_action` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
`deleted_datetime_gmt` datetime DEFAULT NULL,
`update_operator_name` varchar(100) CHARACTER SET utf8 DEFAULT NULL,
`update_datetime` datetime DEFAULT NULL,
`update_datetime_local` datetime DEFAULT NULL,
`update_datetime_gmt` datetime DEFAULT NULL,
`update_ip` varchar(100) CHARACTER SET utf8 DEFAULT NULL,
PRIMARY KEY (`seq`),
UNIQUE KEY `ID` (`xid`),
UNIQUE KEY ` ref` (`ref`)
) ENGINE=InnoDB AUTO_INCREMENT=75308 DEFAULT CHARSET=utf8 COLLATE=utf8_swedish_ci ROW_FORMAT=COMPACT

-----Original Message-----
From: lasso-bounces@lists.lassosoft.com [mailto:lasso-bounces@lists.lassosoft.com] On Behalf Of Patrick Larkin
Sent: Thursday, 12 July 2012 5:33 AM
To: lasso@lists.lassosoft.com
Subject: Re: Document Security Question

That would be great as I have an awful lot of files.



#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

> That would be great as I have an awful lot of files.

I really have to dash, but check out http://reference.lassosoft.com/Reference.LassoApp?[File_ListDirectory] to build an array which you can loop through to build your table

Very best regards,

Rick


#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

My initial table has three fields:

ID
Filename
Description

:)

I was thinking of hardcoding the path because I want to put everything in one place. Perhaps a subdirectory might be a good idea. It looks like you have a system where people are updating forms. This might be something I'd be interested in doing at some point.



Patrick Larkin
Developer/Administrator of Special Systems / Webmaster
Bethlehem Area School District




On Jul 11, 2012, at 3:42 PM, Rick Draper wrote:

> This won't suit everyone, but it might assist with creating that initial table...
>
> CREATE TABLE `myfiles` (
> `seq` bigint(30) NOT NULL AUTO_INCREMENT,
> ` ref` varchar(20) CHARACTER SET utf8 DEFAULT NULL COMMENT 'Human friendly way of referring to files,
> ` type` varchar(60) CHARACTER SET utf8 DEFAULT NULL COMMENT 'for Lasso when serving like image/jpg',
> ` description` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
> `source_filename` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
> `local_filename` varchar(255) CHARACTER SET utf8 DEFAULT NULL COMMENT If stored as a different name to avoid spaces and high ASCII',
> `local_path` varchar(255) CHARACTER SET utf8 DEFAULT NULL COMMENT 'Make sure it ends with a trailing slash and that it is relative',
> `file_ext` varchar(10) CHARACTER SET utf8 DEFAULT NULL COMMENT 'no dot (,)',
> `set` varchar(60) CHARACTER SET utf8 DEFAULT NULL COMMENT 'used when doing a batch upload, like using the java upload',
> `file_date` date DEFAULT NULL,
> `xid` varchar(60) CHARACTER SET utf8 DEFAULT NULL,
> `to_display` char(1) CHARACTER SET utf8 DEFAULT 'Y',
> `lock` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
> `last_action` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
> `deleted_datetime_gmt` datetime DEFAULT NULL,
> `update_operator_name` varchar(100) CHARACTER SET utf8 DEFAULT NULL,
> `update_datetime` datetime DEFAULT NULL,
> `update_datetime_local` datetime DEFAULT NULL,
> `update_datetime_gmt` datetime DEFAULT NULL,
> `update_ip` varchar(100) CHARACTER SET utf8 DEFAULT NULL,
> PRIMARY KEY (`seq`),
> UNIQUE KEY `ID` (`xid`),
> UNIQUE KEY ` ref` (`ref`)
> ) ENGINE=InnoDB AUTO_INCREMENT=75308 DEFAULT CHARSET=utf8 COLLATE=utf8_swedish_ci ROW_FORMAT=COMPACT
>
> -----Original Message-----
> From: lasso-bounces@lists.lassosoft.com [mailto:lasso-bounces@lists.lassosoft.com] On Behalf Of Patrick Larkin
> Sent: Thursday, 12 July 2012 5:33 AM
> To: lasso@lists.lassosoft.com
> Subject: Re: Document Security Question
>
> That would be great as I have an awful lot of files.
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

Rick -

Sure, I don't expect you to write anything for me. :)

I've used those tags in the past but only to display a directory listing. I'm sure taking it a bit further won't be too difficult.

Thanks for your help!

Patrick



On Jul 11, 2012, at 3:47 PM, Rick Draper wrote:

>> That would be great as I have an awful lot of files.
>
> I really have to dash, but check out http://reference.lassosoft.com/Reference.LassoApp?[File_ListDirectory] to build an array which you can loop through to build your table
>
> Very best regards,
>
> Rick
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

> I was thinking of hardcoding the path because I want to put everything in one place.

Be careful with this if you have a lot of files - we have found that there are marked performance issues (dependent upon a number of variables) but distributing files among a number of appropriate directories works reliably (we use dates).


Very best regards,

Rick



#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

Are your document constantly changing? This would just be a directory of 100 or so internal forms that I don't care to share with the public. But if they do get shared, they aren't sensitive or anything.


Patrick



On Jul 11, 2012, at 3:55 PM, Rick Draper wrote:

>> I was thinking of hardcoding the path because I want to put everything in one place.
>
> Be careful with this if you have a lot of files - we have found that there are marked performance issues (dependent upon a number of variables) but distributing files among a number of appropriate directories works reliably (we use dates).
>
>
> Very best regards,
>
> Rick
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> Lasso@lists.lassosoft.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>

> Are your document constantly changing? This would just be a directory of 100 or so internal forms that I don't care to share with the public. But if they do get shared, they aren't sensitive or anything.

In the case of a 100 or even a few hundred, you won't see a difference - I would just suggest having the flexibility in the initial design to store and use a path (even if it is all the same in the initial use) may be valuable down the track when you decide that you need other file handling.

Among many other things, we manage ID Card photos and images of the cards themselves to counter fraudulent use of Chinese clones by students sitting exams for other students (put whatever face you like on a copy of your own student ID - enterprising to say the least).. so can have a thousand added in a few hours... very different from your situation.

Very best regards,

Rick


#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>