On 9 January 2013 23:39, Jesse Tayler <jtayler@oeinc.com> wrote:
[]
The reason this is important is that using a custom handler to check
that our currently logged in user can access the given attachment we
lose all visibility of who is actually logged in.
[]

I may be misunderstanding the issue here, but wouldn't this be a place to use the ERAttachmentRequestHandler.Delegate?
True, the session isn't part of the link that is created, but the request handler (delegate) has the context from which you can get the session and do whatever you want with.

This is just a skeleton of the code I'm working with, but this gets the session from the context and the user from the session.  Since I have the attachment already, I can walk the authorizations to see if the user should be able to see the attachment. 

public class AttachmentSecurityDelegate implements ERAttachmentRequestHandler.Delegate {

@Override
public boolean attachmentVisible(ERAttachment attachment,
WORequest request, WOContext context) {
AppUser user = ((Session) context._session()).getUser();

// spend some more time checking for roles etc and auditing, but this is
// basically if a user is logged in
// let them see the attachment
if (user != null) {
return true;
}
return false;
}

}


This is just using the regular ERAttachmentRequestHandler adding the delegate in Application.finishInitialization()

((ERAttachmentRequestHandler) Application.application()
.requestHandlerForKey(
ERAttachmentRequestHandler.REQUEST_HANDLER_KEY))
.setDelegate(new AttachmentSecurityDelegate());




Larry Mills-Gahl




On Jan 10, 2013, at 11:19 AM, Robin Smith <robin.smith@clicktravel.com> wrote:

Thats what i thought too, i just didnt want to go start changing
behaviour without confirming.

Thanks

Robin

On 10 January 2013 16:12, Ramsey Gurley <rgurley@smarthealth.com> wrote:
It's probably just that no one ever had that problem with it before. It's not hard to imagine with such a small group of wo devs that the exact combination you describe would go unnoticed. Sounds like a bug.

Ramsey

On Jan 10, 2013, at 2:56 AM, Robin Smith wrote:

Hi Jesse

I think we may talking about different things ERAttachmentLink is used
to create a hyperlink on your page to download ERAttachments in our
case from s3. Put simply the url that the link creates doesn't include
the session id.

Many Thanks

Robin

On 9 January 2013 23:39, Jesse Tayler <jtayler@oeinc.com> wrote:

well, me thinks file upload is done without a session that way because uploading files takes a long time and can cause session timeouts on its own.

is that what you mean?

as for your security issue? I am not certain why you loose visibility about who is logged in? certainly you should be able to do this in a reasonably secure way so I don't entirely follow what is going on there.

On Jan 9, 2013, at 12:43 PM, Robin Smith <robin.smith@clicktravel.com> wrote:

Hi All

We question regarding ERAttachmentLink, following the code through it
seems that it doesn't preserve the session when it creates the links.
The reason this is important is that using a custom handler to check
that our currently logged in user can access the given attachment we
lose all visibility of who is actually logged in.

If the app is using cookies for its sessions all is fine as the
session is retrieved from the cookie, but if the session is in the url
then it all breaks down. I can obviously tweak ERAttachmentLink to
preserve the session if needed but before i started i wanted to know
if there is any reason why it was done in this way.

Many Thanks

Robin

--

------------------------------
Click Travel Ltd
Taking business travel and expenses one step further
http://www.clicktravel.com

Winner of "Best Business Travel Management Company" at the Business Travel
Awards (2012 & 2009) and the Travel Trade Gazette Awards (2011). We're also ranked
22nd in the 2012 Sunday Times Hiscox Tech Track 100.

For all the latest Click news please visit our blog:
http://clicktravel.com/blog

Think: Do you really need to print this email?

------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612
_______________________________________________
Wonder-disc mailing list
Wonder-disc@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wonder-disc




--
Robin Smith
Engineering Team Leader  BEng (Hons) MBCS

--

------------------------------
Click Travel Ltd
Taking business travel and expenses one step further
http://www.clicktravel.com

Winner of "Best Business Travel Management Company" at the Business Travel
Awards (2012 & 2009) and the Travel Trade Gazette Awards (2011). We're also ranked
22nd in the 2012 Sunday Times Hiscox Tech Track 100.

For all the latest Click news please visit our blog:
http://clicktravel.com/blog

Think: Do you really need to print this email?

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
Wonder-disc mailing list
Wonder-disc@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wonder-disc




--
Robin Smith
Engineering Team Leader  BEng (Hons) MBCS

--

------------------------------
Click Travel Ltd
Taking business travel and expenses one step further
http://www.clicktravel.com

Winner of "Best Business Travel Management Company" at the Business Travel
Awards (2012 & 2009) and the Travel Trade Gazette Awards (2011). We're also ranked
22nd in the 2012 Sunday Times Hiscox Tech Track 100.

For all the latest Click news please visit our blog:
http://clicktravel.com/blog

Think: Do you really need to print this email?

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
Wonder-disc mailing list
Wonder-disc@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wonder-disc