User Denied permission get another user's info like image
  • Hi Karim,

    I am trying to GetFile for a login other than the user requesting it, in other words, a user is trying to get image of another user , I am getting permission denied.

    I tried to edit the ACL apsdb.users but still not working.

    Kindly could you advise a way so that a user can access other users fields like image.

    Thank you.
  • Hello,

    I do not understand what you mean with: "...I tried to edit the ACL apsdb.users but still not working."

    This said, kindly consider the two possible cases:

    Case 1) If your file is attached to a field of the user profile ("apsdb_user" schema), then you need to make sure that this file is contained in an ACL group that grants read permissions to authenticated users, as in the below example:
    ...
    <aclGroup name="allUsersCanRead">
    <read>authenticated</read> <!-- authenticated users can read values of the fields in this section -->
    <write>creator</write>
    <fields>
    <field>phone</field>
    <field>picture</field>
    </fields>
    </aclGroup>
    ...
    <fields><!-- picture should be of type "file" -->
    ...
    <field name="picture" type="file"/>
    ...    
    </fields>

    Then, since you cannot invoke "GetFile" of a user profile, you should create a script that retrieves the image then streams it back to the caller, since scripts can run with the owner's privileges. The "execute" ACL of the script should be set to "authenticated", so you can send a request to it signed with the other user's credentials.

    var fieldName = "the_field_name";
    var fileName = "the_file_name";
    var status = 200;
    // "the_user_login" is that of the user who owns the file in his profile
    return apsdb.serveUserFile(status, null, fieldName, fileName, null, "the_user_login");

    Case 2) If your file is rather attached to an Apstrata document that is associated to a schema, then the field to which you are attaching the file should be part of a section that grants read permission to authenticated users (role = "authenticated" or "authenticated-users", as in the below example:

    <schema>
      <aclGroups>
         <aclGroup name="owner">
    <read>creator</read>
    <write>creator</write>
    <fields> 
    <!-- Only the creator of the document has read/write permissions on field1 -->
    <field>field1</field>
    </fields>
        </aclGroup>
       <aclGroup name="allUsers">
    <read>authenticated</read>
    <write>creator</write>
    <fields>
    <!-- authenticated users have read  permissions of field2 and field3-->
    <field>field2</field>
    <field>field3</field>
      </fields>
      </aclGroup>
        <schemaAcl>
    <read>nobody</read>
    <write>nobody</write>
    <delete>nobody</delete>
        </schemaAcl>
      </aclGroups>
      <fields> <!-- field3 is of type file -->
        <field name="field1" type="string"/>
        <field name="field2" type="string"/>
        <field name="field3" type="file"/>
      </fields>
    </schema>

    Sending a signed request to the GetFile API to retrieve the file attached to field3 in an Apstrata document should work perfectly.
    Keep me posted.Karim
  • Hi Karim,

    It was Case 1

    I implemented serveUserFile in a script as you mentioned
    and it is working.

    Thank you

    Nour
  • Hi Karim

    If I want to right a Server Script that generates a Signed URL for a user file , as if I am writing 

    parameters.add(new BasicNameValuePair("apsdb.fileName", params[1]));
    parameters.add(new BasicNameValuePair("login",params[0]));
    parameters.add(new BasicNameValuePair("apsdb.fieldName","image"));
    parameters.add(new BasicNameValuePair("apsdb.setContentDisposition","true"));

    pictureURL = client.getSignedRequestUrl("GetFile", parameters,    null, AuthMode.SIMPLE);

    this is in java on the client side which generates a URL without downloading the file , how can I do the same on server script?

    Thank you

    Nour
  • Hi Nour,

    This is simple, you just need to use the getApiCall method:

    var params = {
       "apsdb.documentKey": "YourDocKey",
       "apsdb.fieldName": "YourField",
       "apsdb.fileName": "YourFile.png",
       "apsdb.store":"YourStore",
       "apsdb.setContentDisposition":"false" // important in order to not download the file
    };
        
    var method = "GET";
    var customerAuthKey = "YOUR_ACCOUNT_KEY";
    var action = "GetFile"
    var res =  apsdb.getApiCall(serviceUrl, method, customerAuthKey, action, params, null, true, "SomeUser", "SomePassword");

    "res" will contain the following structure:

    {
    "query": "apsdb.fileName=YourFile.png&apsdb.setContentDisposition=false&apsdb.store=YourStore&apsdb.fieldName=YourField&apsdb.documentKey=YourDocKey&apsws.id=SomeUser&apsws.authMode=complex&apsws.authSig=1D2CE80B4040EFDBKF5314LF2C628D9754QABBCA&apsws.time=1444224380924", 
    }

    Just add "baseUrl" to "query".

    Let me know if this works.

    Karim
  • Hi Karim,

    Thank you for the help, let me clarify something here 

    I need to get the url image of the user issuing the request which makes it possible to write the below right
     var params = {
       "login": "login",
       "apsdb.fieldName": "YourField",
       "apsdb.fileName": "YourFile.png",
       "apsdb.store":"YourStore",
       "apsdb.setContentDisposition":"false" // important in order to not download the file
    };

    pictureURL = client.getSignedRequestUrl("GetFile", parameters,    null, AuthMode.SIMPLE);

    in java here , 

    I tried to write the below 

       var params = {
       "apsdb.login": login,
       "apsdb.fieldName": "image",
       "apsdb.fileName": "avatar.png",
       "apsdb.store":"DefaultStore",
       "apsdb.setContentDisposition":"false" // important in order to not download the file
    };
        
    var method = "GET";
    var customerAuthKey = "XXXXXX";
    var action = "GetFile"
    var res =  apsdb.getApiCall(serviceUrl, method, customerAuthKey, action, params, null, true, "Myuser", "Mypass");
     I am getting "status": "failure", 
    "errorCode": "INVALID_USER", 
    "errorDetail": "The user vvv@gmail.com is invalid."

    My question, could I get the URL of requesting the file of the same user apsws.user=login as we usually do when getting the profile image or file of the logged user from table users.

    Thank you.
  • Hi Nour,

    If what you mean is that you do not have access to the user's password on the server side (which makes sense), then you can generate the URL yourself and generate a token for the user on the server side as follows:

    // generate a token for the user
    var tokenRequest = {
    "apsws.id": "YOUR_USER_LOGIN",
    "apsdb.tokenExpires": "20000", // in seconds
    "apsdb.tokenLifetime": "40000", // in seconds
    "apsdb.bindReferrer": "false",
    "apsdb.runAs: "YOUR_USER_LOGIN"
    };
    var res = apsdb.callApi("GenerateToken", tokenRequest, null);
    var token = res.result["apsdb.authToken"];

    /* create a signed GetFile request */

    // baseUrl
    var userId = "YOUR_USER_LOGIN";
    var accountKey = "YOUR_ACCOUNT_KEY";
    var signedUrl = 
    accountKey + 
    "/GetFile?apsws.id=" + userId + "&apsws.time=" +  new Date().getTime() + "&";

    // Add the parameters
    var getFileParams = {
    "apsdb.documentKey": "YOUR_DOC_KEY",
    "apsdb.fieldName": "YOUR_FIELD_NAME",
    "apsdb.fileName": "YOUR_FILE_NAME",
    "apsdb.store":"YOUR_STORE",
    "apsdb.setContentDisposition":"false" // important in order to not download the file
    };

    for (var param in getFileParams) {
    signedUrl += param + "=" + getFileParams[param] + "&";
    };

    // add the token 
    signedUrl = signedUrl + "apsws.authMode=token&apsdb.authToken=" + token;
    return signedUrl;

    Keep me posted,

    Karim
  • Hi again,

    In case the file you need a link to is in the user's profile, you just need to replace apsdb.documentKey with apsdb.id:

    var getFileParams = {
    "apsdb.id": "YOUR_USER_LOGIN",
    "apsdb.fieldName": "YOUR_FIELD_NAME",
    "apsdb.fileName": "YOUR_FILE_NAME",
    "apsdb.store":"YOUR_STORE",
    "apsdb.setContentDisposition":"false" // important in order to not download the file
    };

    Karim

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!