cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Setting permissions on only download of files in FileRepository

SOLVED
Highlighted
Gravel

Setting permissions on only download of files in FileRepository

Hello,

 

I have a FileRepository Thing "myTestRepositorywhere I would like to limit the permissions for a group of users to only downloading files for which they get the link. I would NOT like to give them permissions on ALL the services on "myTestRepository" Thing - to ensure they cannot add/delete/modifiy files in the repository (e.g. thru REST calls using a REST client like Postman) or read the contents of other Folders...

The downloadLink could be returned by a custom service "getFileDownloadLink" as a HYPERLINK, just as it is returned by the built-in service GetFileListingWithLinks of the FileRepository ThingTemplate. The service GetFileListingWithLinks could be allowed to execute by giving ServiceExecute permissions to the System User, so that the downloadLink can be returned when GetFileListingWithLinks is called from the getFileDownloadLink Service - which is the only service I would like to allow ServiceExecute runtime permissions to my group of users.

But what I notice is that downloading a file by using a link like "http://mythingworxserver.local/Thingworx/FileRepositories/myTestRepository/folder/myfile.txt" in a browser only works if I give my group of users ServiceExecute permissons on ALL Services of myTestRepository Thing.

And that is something I find not so secure.

Any suggestions on how to deal with this ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Setting permissions on only download of files in FileRepository

For troubleshooting:

 

In the ErrorLog.log I could see the following exception when it wasn't working:

 

[message: Not authorized for ServiceInvoke on GetFileListing in myTestRepository] com.thingworx.common.exceptions.InvalidRequestException: Not authorized for ServiceInvoke on GetFileListing in myTestRepository

 

After adjusting the permissions for this service, the download worked.

3 REPLIES 3

Re: Setting permissions on only download of files in FileRepository

Hi @TomDecock

I did some tests on my system and have a myTestRepository with a myfile.txt in it.

With the following steps I can download the file as a certain user.

 

  • Create an organization for my user abc
  • Set Visibility for myTestRepository Thing to the organization
  • Set Design Time permissions to Read for my user - so he can actually see the Thing
  • Set Run Time permissions to disallow everything - or do not set any permissions at all
    • Override the GetFileListing service - allow execution for the abc user

Then opening https://<myhostname>/Thingworx/FileRepositories/myTestRepository/myfile.txt will result in the user having to login and is able to download the file from the repository.

 

In this case, only the GetFileListing service is necessary - not the GetFileListingWithLinks

 

Does this work for you?

 

Cheers,

Michael

Re: Setting permissions on only download of files in FileRepository

For troubleshooting:

 

In the ErrorLog.log I could see the following exception when it wasn't working:

 

[message: Not authorized for ServiceInvoke on GetFileListing in myTestRepository] com.thingworx.common.exceptions.InvalidRequestException: Not authorized for ServiceInvoke on GetFileListing in myTestRepository

 

After adjusting the permissions for this service, the download worked.

Re: Setting permissions on only download of files in FileRepository

Hi @TomDecock.

 

If one of the previous responses answered your questions, please mark the appropriate one as the Accepted Solution for the benefit of others with similar questions.

 

Regards.

 

--Sharon