We have some PDF's that can be viewed by users. Rather than simply providing them with a link to the URL of the document, we would like some way to first check that they have permissions to view that PDF (by cross-referencing the PDF ref with the user ID in a database), then if they do have permissions to view it, return the PDF output to the page. Also, we don't want them to simply be able to guess the URL of other PDF's and be able to view them. Therefore, can somebody please confirm, and provide more code instead of the comments below:
Dim sDocRef As String
Dim bAccess As Boolean
Dim sDocLocation As String
sDocRef = Request.QueryString("DocRef")
' Query the database to check they have access to this file.
' Do SQL stuff.
If myRS("Access") = 1 Then
' Query the database to return the real location of the PDF
' Do SQL Stuff
sDocLocation = myRS("Location")
' Set the content type of the page to be a PDF *****
' Read the contents of the PDF *****
' Output the contents of the PDF to the page *****
Response.Redirect = "permission_denied.aspx"
I.e. by going to "view_pdf?DocRef=12345" they are presented with the PDF in that same window [assuming have permissions].
Can somebody please provide the code where the comment has ***** at the end of it.
Any other bits of code in there would be helpful, e.g. check PDF exists, etc. are there any issues with this method?
Any help much appreciated.