Id: | 17987 |
Product: | finPOWER Connect |
Type: | NEW |
Version: | 3.04.00 |
Opened: | 30/03/2021 |
Closed: | 31/03/2021 |
Released: | 30/06/2021 |
Job: | J026257 |
Portals; A method of allowing file downloads for another Account from Web Services
When a Client is signed in to a Client-based Portal, many security checks should be made or, in many cases, are made automatically.
One of these checks is that when running under Web Services, a Client cannot execute any Account-based services that relate to Accounts that they are not a Client of. E.g., the Client cannot run an Application Shortcut to download a document from an Account which is not their own.
There may be situations where it is desirable to allow a Client to download an Account document from an Account which they do not own, e.g., in the case of an Investor Portal, investment documents may be held on a central Account.
To allow this functionality, a new finBL.HtmlWidgetUtilities.EncryptId method has been added.
If an Account Id is encrypted as part of an Application Shortcut then this will allow a file to be downloaded regardless of whether the Account belongs on a Client. Since this encryption can only be performed by server-side code (i.e., the Script Code), it provides security since the Application Shortcut URL cannot be tampered with to simply download a document from any Account.
The following example creates an Application Shortcut that encrypts the Account Id.
Application Shortcut = finBL.CreateApplicationShortcutDocumentManagerFile("Account", DocumentFile.FileNameWithCategoryAndExtension, finBL.HtmlWidgetUtilities.EncryptId(Account.AccountId))