Hi!
I will try to explain my issue the best way I can. In our application we have a module containing all the PDF pages and we use the URL from where we need it. The pages are only for registered OutSystems users.
We use it to download PDFs but also to send a PDF as an attachment within an email.
Downloading works fine because when a user presses the download button the user is logged in and there is no issue with permissions.
My issue is with email attachements. Because Ultimate PDF is a little slow (which in itself is no problem), we have set up our emails to be send out asynchrounsly, through a timer. The timer action will use Ultimate PDF to get the attachement and then send out the email. However! The pages are not open to anonymous users, so whenever the timer tries to generate a pdf, it gets an error because the permissions aren't met. Is there a way that I can access the pages through the URL from there without opening the pages up for anonymous users?
Thank you in advance!
Hi Liesbeth,
You can workaround this by having a one-time usable token in the screen.
Your page would receive a token, and before you show anything or get any data, you see if the token is valid on the database, and if it is, you load the page and delete the token. Otherwise, you redirect to the invalid permissions screen or show an error message and don't load anything.
On the timer and on your app going to the PDF, you generate the token, save it on the database and use it as a parameter when going to the page.
This is the same strategy which is used for replacing a password, where the page needs to be anonymous but you want to make sure only that given user sees the page.
Kind Regards,João
Hi Liesbeth.
You can try to use the Login system action to change the user id inside of the timer, before generating the PDF.
After generating the PDF, you can logout to make sure no other action done in the timer is recorded against the user.
Let me know if that works.
Thank you both for your help!
I have first tried a login action in the timer but this does not seem to work.
I would like to try the one-time usable token. I've been doing some research (have found that it is indeed used for timers to access screens) but cannot figure out how to get started on this.
My apologies for this many questions.
Thank you,
Liesbeth
I'll try to answer your questions:
Dear João,
Thank you so much.
I have one more question, I promise this is the last one.
What would be the best approach to make sure I check the token before I fetch other data?
Can I do it in the OnInitialize action?
Maybe important to note that most of the data in the PDF is fetched in webblocks.
Thank you!
Ideally, server calls should be avoided on the OnInitialize, as they may delay the rendering of the page. However, given the nature of this call (security-related, quick and simple call, to check if the token exists and delete it if exists), I would also do it on the OnInitialize, as the impact is minimum (a light server call, and only tampers with the rendering of the PDF).