1

With DotNetNuke, I discovered the option to use secure folders. How can we keep the full URL of a file within a given security folder normal? (i.e. without the token process attached to the URL and displaying the full path to the folder).

There are a number of reasons why I would need the path/name of a file readable to it's original location. Yes I want the folder to be only accessible to members privileged to that location, but not at the expense of changing the path / file name with a token.

So regardless if you are logged in or not, you should notice the existance of 

http://dnnsite.com/my-secure-folder/my-file.pdf

  • If you are logged out, then an action occurs saying you are not permitted to view this file.

  • If you are logged in, then you have full view access to this URL

Thanks

klewis
  • 7,459
  • 15
  • 58
  • 102

1 Answers1

2

It would not be secure then. To access a file in the way your url is formed, you have to use a "normal" folder, but you cannot achieve your goal to restrict access.

To explain: Files that are uploaded to a secure folder get an extra extension (".resources") to their original file name. Files with this extension will not be delivered by IIS (at least not in the default settings), and DNN provides a file handler ("LinkClick.aspx") that delivers the file with this extension, and also ensures that the user who tries to access the file hat the required permissions in the secure folder.

What you can do on your site is something like a link in an HTML module that is available to everyone, but uses the file handler to access the file, and the folder is restriced to a specific role (<a href="/LinkClick.aspx?fileticket=...">http://dnnsite.com/my-secure-folder/my-file.pdf</a>). This leads to the login screen when a user is not logged in.

Michael Tobisch
  • 1,034
  • 6
  • 15
  • Michael I re-read your solution and I think that may work. Do you happen to know of a web site to talks more about your suggestion you mentioned in implementing rh LinkClick in the href and redirecting users to the login screen if they are not logged in? Looking for more creative ways with this. Thanks a million! – klewis Feb 23 '17 at 14:58
  • Sorry, have not seen your comment before, so maybe an answer is already obsolete. Nevertheless: It is easy, and it works. I don't know of an article about this, but it is quite easy to implement. Just select the appropriate option (something like "Relative Secured Url" or "Absolute Secured Url") when you enter the link in the HTML module. This option can be found when you click the "Browse server" button... – Michael Tobisch Feb 07 '18 at 12:26