Community Tip - You can change your system assigned username to something more personal in your community settings. X
Hello,
I have a FileRepository Thing "myTestRepository" where I would like to limit the permissions for a group of users to only downloading files for which they get the link. I would NOT like to give them permissions on ALL the services on "myTestRepository" Thing - to ensure they cannot add/delete/modifiy files in the repository (e.g. thru REST calls using a REST client like Postman) or read the contents of other Folders...
The downloadLink could be returned by a custom service "getFileDownloadLink" as a HYPERLINK, just as it is returned by the built-in service GetFileListingWithLinks of the FileRepository ThingTemplate. The service GetFileListingWithLinks could be allowed to execute by giving ServiceExecute permissions to the System User, so that the downloadLink can be returned when GetFileListingWithLinks is called from the getFileDownloadLink Service - which is the only service I would like to allow ServiceExecute runtime permissions to my group of users.
But what I notice is that downloading a file by using a link like "http://mythingworxserver.local/Thingworx/FileRepositories/myTestRepository/folder/myfile.txt" in a browser only works if I give my group of users ServiceExecute permissons on ALL Services of myTestRepository Thing.
And that is something I find not so secure.
Any suggestions on how to deal with this ?
Solved! Go to Solution.
For troubleshooting:
In the ErrorLog.log I could see the following exception when it wasn't working:
[message: Not authorized for ServiceInvoke on GetFileListing in myTestRepository] com.thingworx.common.exceptions.InvalidRequestException: Not authorized for ServiceInvoke on GetFileListing in myTestRepository
After adjusting the permissions for this service, the download worked.
Hi @TomDecock
I did some tests on my system and have a myTestRepository with a myfile.txt in it.
With the following steps I can download the file as a certain user.
Then opening https://<myhostname>/Thingworx/FileRepositories/myTestRepository/myfile.txt will result in the user having to login and is able to download the file from the repository.
In this case, only the GetFileListing service is necessary - not the GetFileListingWithLinks
Does this work for you?
Cheers,
Michael
For troubleshooting:
In the ErrorLog.log I could see the following exception when it wasn't working:
[message: Not authorized for ServiceInvoke on GetFileListing in myTestRepository] com.thingworx.common.exceptions.InvalidRequestException: Not authorized for ServiceInvoke on GetFileListing in myTestRepository
After adjusting the permissions for this service, the download worked.
Hi @TomDecock.
If one of the previous responses answered your questions, please mark the appropriate one as the Accepted Solution for the benefit of others with similar questions.
Regards.
--Sharon