Can i share a file with others and dont compromise my app security?

36 views

Skip to first unread message

António Ramos

unread,

Oct 20, 2017, 4:23:38 AM10/20/17

to web...@googlegroups.com

Hello in my app i need to share files with some clients that dont have access to my app.

I will send a link directly to the file in the database that only the destination can see

for example

i will send to customer A a link like

http://www.myapp.pt/xxxt/default/download/entities.file.bbsas17beb165d12.312e626174.pdf

Is this safe ?

Does this link compromises the app in any way?

Regards

António

Bernhard Radermacher

unread,

Oct 21, 2017, 4:08:36 AM10/21/17

to web2py-users

I subscribe to "obscurity is no security". That means that the security of your app should not depend in ANY way on 'cryptic' URLs (exception might be a one-time generated URL, and even that is questionable).

If you set up you app to check for authorization, permission, membership, then there should be no problem. A definite answer is not possible without a full review.

I suspect that the link you posted is not checking for any authorization. If that is a file that you would publish on your freely accessible website, that would be OK, otherwise just fact that the URL is accessible without any login/authorization would raise concerns about the security of your app.