Disable serving other pages

[Gordon Holfelder]

Hi All-

I am assuming that this can be done, but I'm not sure where to trap this; I know that the Nettalk server automatically serves up any files that are in the web folder. I'd like to keep this functionality, but only allow this to occur when the user is logged in. Should I add code to the _SendFile method in the web handler? How do I cause a 404 error if the user is not logged in? Is this the correct place?

Thanks in advance,
Gordon

[Bruce]

Hi Gordon,

You need to be a tad careful here. Consider that the .js and .css files are inside the web folder (well at least a sub directory of the web folder) and are static, but are certainly required _before_ the user logs in (so they can, um, get to the login page <g>).

That said, restricting static files to logged in users is possible - there are two approaches;

a) the easiest is to put restricted files in the \web\loggedin folder.
Files in this folder can only be served to people who are loggged it.

[aside: there's also a \web\secure folder for files that can only be served over SSL. Surprisingly there isn't a folder though for "must be logged in AND SSL" but if your server only does SSL anyway, then the \web\loggedin folder is sufficient ]

[aside: these are default names, \web\loggedin and \web\secure, and can be changed - there are properties in the class for them, but unless there's a _really_ good reason to change the name there isn't much point in doing so. ]

b) The more complicated approach allows you to inspect each request, and make some sort of decision as to whether it's ok or not to serve it. You can code this into the WebHandler, ProcessGet method, before the parent call. If you choose _not_ to allow the file then set the property self.DontSendFile = true.
Typically you'd also do a self.SendError as well. So, for example;

  if self.GetSessionLoggedIn() = 0 and instring('\mypage.htm',lower(self.RequestFileName),1,1)
    self.SendError(401, 'Not Logged In', 'You need to Log In before you can view that page')
    self.DontSendFile = true
  end

As mentioned earlier you probably don't want to filter out _all_ static files, but you could exclude all files not in say the scripts, styles, or images folders. Something like this;

  if self.GetSessionLoggedIn() = 0
    if Instring('\scripts\',lower(self.RequestFileName),1,1) or |
      Instring('\styles\',lower(self.RequestFileName),1,1) or |
      Instring('\images\',lower(self.RequestFileName),1,1)
    else
      self.SendError(401, 'Not Logged In', 'You need to Log In before you can view that page')
      self.DontSendFile = true
    end
  end

Cheers
Bruce

[Gordon Holfelder]

Thanks Bruce, That's what I was looking for.
Gordon