[Simple Reports With PDF] Roles & Permissions

  
Forge Component
(10)
Published on 2017-01-05 by Huarlem Lima
10 votes
Published on 2017-01-05 by Huarlem Lima

Hi Guys,

I've been having problems with the Roles and Permissions and was hoping someone knew something I didn't. 

It looks like having the Anonymous Role is mandatory for the PDF to be downloaded, is this true? My PDF works perfectly if I have the Anonymous Role selected in the Web Screen Details but if I want to make the PDFs more secure by deselecting the Anonymous Role I get the following error message when downloading the PDF.

I'm just trying to find a way that we can restrict which users can access certain PDFs. Also if someone knows a better way of removing input variables from a pages URL that would be great!

Thanks,

Oli

Hi Oliver,

It is true. The screen from which the pdf will be generated has be accessible to everybody. That's because the action to generate the pdf uses ans external tool to access that screen and generate the pdf.

The way to go around that is to, before calling the GeneratePdf, create a unique token in an entity on the database. Pass that token as input parameter of the url of the screen from which the pdf will be generated.

In the preparation of your screen check that the token exists in the database. If it doesn't exist raise an exception and the screen will not be rendered. If the token exists, then remove the token from the database (you should use it only once) and proceed to render the screen.

This is the general pattern for the generation of the pdf. But since you are using another component, you will not only have to change it according to the description above but also, since you want to show the screen in the browser and also generate a pdf from it, in the preparation, you will also have to check (programmatically) that the user has the correct role to see the screen.

Cheers,

José


Hi Jose,

Thank you for the speedy reply! I thought this was going to be the case so before you replied I had a few words with my colleague and we decided to change this area of our application. The current solution is a better fit for what we are trying to achieve and it tackles both the URL and the Roles & Permission issues we were having.

Thanks again, I hope this can help someone else down the line,

Oli