Way to handle security issue

[Tod]

Pardon my newbieness. (And try not to laugh to hard.)

I have a intranet site that allows users to log in and get excel
reports. The user clicks the name of the report and it opens it from a
folder for that user. Easy enough. The problem is that the path of the
folder for that user is displayed in the Status Bar when it is being
downloaded. I've discovered that users are grabing that path, changing
the folder name, and can then access other folders. I don't want that
to happen. (You can already tell I'm new at this, can't ya')

My first idea was to hide or alter the URL. Not a good idea it seems.
My next idea was to grant access at the folder level. But there are
several dozen folders. That would be an admin nightmare.

Somebody more knowledgable that I must know how to do this.

tod

 

[kaeli]

My next idea was to grant access at the folder level. But there are
several dozen folders. That would be an admin nightmare.

Yes, but it's generally the way it's done for file sharing.
Put all the folders they should access in one folder and grant to that one.
What do you care if they nevigate folders they're already allowed to view by
typing in a URL?

Somebody more knowledgable that I must know how to do this.

You could stream the file from a server-side process.
The URL would be the URL for the server-side script. The script would take a
filename as a param, then stream it to the user. Standard file download stuff
instead of linking to a file.
Requires server-side scripting, though, such as java servlets or .net.

--
--
~kaeli~
Why do they lock gas station bathrooms? Are they afraid
someone will clean them?
http://www.ipwebdesign.net/wildAtHeart
http://www.ipwebdesign.net/kaelisSpace