I've got a C#, Kendo MVC, Razor site. There's a Kendo grid where one of the cells has a hyperlink to a pdf file, like this:
我有一个C#,Kendo MVC,Razor网站。有一个Kendo网格,其中一个单元格有一个指向pdf文件的超链接,如下所示:
<a href="http://example.com/Files/File123.pdf" target="_blank">File 123</a>
Clicking on the link opens a pdf in a new browser tab. The problem is, the URL is visible in the browser and can be changed to see another file. For example, the user could replace 123 with 456 and see File456.pdf. I need to do two things:
单击该链接可在新的浏览器选项卡中打开pdf。问题是,URL在浏览器中可见,可以更改为查看另一个文件。例如,用户可以用456替换123,并参见File456.pdf。我需要做两件事:
- Hide the filename in the URL when the pdf is opened.
- 打开pdf时隐藏URL中的文件名。
- Hide the URL when the user hovers over the hyperlink.
- 当用户将鼠标悬停在超链接上时隐藏URL。
Alternatively, I'd take a way to click the link (without the user seeing the URL) and download the file, but I think whether to download or view the file is browser specific.
或者,我想点击链接(没有用户看到URL)并下载文件,但我认为是否下载或查看该文件是特定于浏览器的。
I would just create an event to send the user back to the controller and handle the opening or download there, but the Kendo grid complicates that and this, as usual, needs to be changed right away. I'll take suggestions on how to manipulate the Kendo row to open a pdf, but I'm hoping there's a simple way to change just hide the URL from the user.
我只想创建一个事件来将用户发送回控制器并处理打开或下载,但是Kendo网格使其变得复杂,并且通常需要立即更改。我会就如何操纵Kendo行打开pdf提出建议,但我希望有一种简单的方法可以改变,只需隐藏用户的URL。
2 个解决方案
#1
16
The problem is, the URL is visible in the browser and can be changed to see another file.
问题是,URL在浏览器中可见,可以更改为查看另一个文件。
In my opinion the correct approach in this case would be not to pretend to hide something from the user, but rather know who your users are and implement authorization on your server. This means that if user A attempts to access file 123 that belongs to user B he gets denied. But if he attempts to access file 124 that belongs to him, then why care that he modified the url in the browser? After all user A accessed his own file. So instead of serving a static file directly, you could put those files into a folder that is not directly accessible and serve them through a controller action that will apply the necessary authorization logic (does the file that the user is trying to access actually belong to him before serving it?).
在我看来,在这种情况下,正确的方法不是假装隐藏用户的内容,而是知道您的用户是谁并在您的服务器上实现授权。这意味着如果用户A试图访问属于用户B的文件123,则他被拒绝。但如果他试图访问属于他的文件124,那么为什么要关心他在浏览器中修改了网址?毕竟用户A访问了自己的文件。因此,不是直接提供静态文件,而是可以将这些文件放入不可直接访问的文件夹中,并通过将应用必要授权逻辑的控制器操作为其提供服务(用户尝试访问的文件实际属于哪个文件)在服务之前他?)。
So my advice in this case for you would be to implement authorization on your server based on the resources that he is trying to access.
所以我在这种情况下给你的建议是根据他试图访问的资源在你的服务器上实现授权。
#2
-1
If you handle the redirection in JS I think it won't show the url. For example
如果你在JS中处理重定向我认为它不会显示url。例如
<p onclick="redirect('http://example.com/Files/File123.pdf')">Click here for PDF</p>
<script>
function redirect(link)
{
window.location = link;
}
</script>
#1
16
The problem is, the URL is visible in the browser and can be changed to see another file.
问题是,URL在浏览器中可见,可以更改为查看另一个文件。
In my opinion the correct approach in this case would be not to pretend to hide something from the user, but rather know who your users are and implement authorization on your server. This means that if user A attempts to access file 123 that belongs to user B he gets denied. But if he attempts to access file 124 that belongs to him, then why care that he modified the url in the browser? After all user A accessed his own file. So instead of serving a static file directly, you could put those files into a folder that is not directly accessible and serve them through a controller action that will apply the necessary authorization logic (does the file that the user is trying to access actually belong to him before serving it?).
在我看来,在这种情况下,正确的方法不是假装隐藏用户的内容,而是知道您的用户是谁并在您的服务器上实现授权。这意味着如果用户A试图访问属于用户B的文件123,则他被拒绝。但如果他试图访问属于他的文件124,那么为什么要关心他在浏览器中修改了网址?毕竟用户A访问了自己的文件。因此,不是直接提供静态文件,而是可以将这些文件放入不可直接访问的文件夹中,并通过将应用必要授权逻辑的控制器操作为其提供服务(用户尝试访问的文件实际属于哪个文件)在服务之前他?)。
So my advice in this case for you would be to implement authorization on your server based on the resources that he is trying to access.
所以我在这种情况下给你的建议是根据他试图访问的资源在你的服务器上实现授权。
#2
-1
If you handle the redirection in JS I think it won't show the url. For example
如果你在JS中处理重定向我认为它不会显示url。例如
<p onclick="redirect('http://example.com/Files/File123.pdf')">Click here for PDF</p>
<script>
function redirect(link)
{
window.location = link;
}
</script>