logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
IDAutomation  
#1 Posted : Wednesday, September 2, 2020 10:42:47 AM(UTC)
IDAutomation

Rank: Member

Groups: Authorized User, Developers
Joined: 11/13/2018(UTC)
Posts: 23

Thanks: 16 times
Was thanked: 1 time(s) in 1 post(s)
We are having to revisit this issue as we are losing resellers because they are unable to generate a download link to send to their clients without needing a login. The old store AC7 used to do this but not the new one. The resellers are not allowed to download the zip files to their computers to send to their clients, so we need to be able to have this feature reenabled. Any ideas?

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Naveed Ashraf  
#2 Posted : Tuesday, September 8, 2020 2:33:09 AM(UTC)
Naveed Ashraf

Rank: Advanced Member

Groups: Admin, Administrators, Developers, Registered, HelpDesk, Authorized User
Joined: 7/31/2019(UTC)
Posts: 77

Was thanked: 8 time(s) in 8 post(s)
Hi,

I am going to look into AC7 and will reply you after that.

Thanks.
Thanks for your support!
Naveed Ashraf
Ablecommerce.com
Developer Assistance Available
Naveed Ashraf  
#3 Posted : Tuesday, September 8, 2020 2:33:09 AM(UTC)
Naveed Ashraf

Rank: Advanced Member

Groups: Admin, Administrators, Developers, Registered, HelpDesk, Authorized User
Joined: 7/31/2019(UTC)
Posts: 77

Was thanked: 8 time(s) in 8 post(s)
Hi,

I am going to look into AC7 and will reply you after that.

Thanks.
Thanks for your support!
Naveed Ashraf
Ablecommerce.com
Developer Assistance Available
Naveed Ashraf  
#4 Posted : Tuesday, September 8, 2020 9:28:49 AM(UTC)
Naveed Ashraf

Rank: Advanced Member

Groups: Admin, Administrators, Developers, Registered, HelpDesk, Authorized User
Joined: 7/31/2019(UTC)
Posts: 77

Was thanked: 8 time(s) in 8 post(s)
Hi,

I checked the AC7 implementation and figured that a login is always required to download the digital goods. I am not sure but I think it might be a custom feature?

if you want to generate some custom download link for distribution (without requiring an account login), there is no out of the box way in AC9.


Thanks,

Edited by moderator Thursday, September 10, 2020 3:51:13 PM(UTC)  | Reason: remove conflicting statement

Thanks for your support!
Naveed Ashraf
Ablecommerce.com
Developer Assistance Available
IDAutomation  
#5 Posted : Tuesday, September 8, 2020 9:45:13 AM(UTC)
IDAutomation

Rank: Member

Groups: Authorized User, Developers
Joined: 11/13/2018(UTC)
Posts: 23

Thanks: 16 times
Was thanked: 1 time(s) in 1 post(s)
I'm not aware of it being custom, but it would appear on the final receipt as you can see on the screenshot below:

UserPostedImage
Naveed Ashraf  
#6 Posted : Tuesday, September 8, 2020 9:51:35 AM(UTC)
Naveed Ashraf

Rank: Advanced Member

Groups: Admin, Administrators, Developers, Registered, HelpDesk, Authorized User
Joined: 7/31/2019(UTC)
Posts: 77

Was thanked: 8 time(s) in 8 post(s)
Its not the custom link, its default download link.

What version of AC7 you were using? I tested it with AC707 but it required a login to access this.

Actually without security (login or some security token) anyone can guess your links and download your digital goods without actually purchasing those.

Thanks,

Thanks for your support!
Naveed Ashraf
Ablecommerce.com
Developer Assistance Available
IDAutomation  
#7 Posted : Tuesday, September 8, 2020 10:02:25 AM(UTC)
IDAutomation

Rank: Member

Groups: Authorized User, Developers
Joined: 11/13/2018(UTC)
Posts: 23

Thanks: 16 times
Was thanked: 1 time(s) in 1 post(s)
7.0.0 we were really "old school" til now...
Naveed Ashraf  
#8 Posted : Tuesday, September 8, 2020 11:22:15 AM(UTC)
Naveed Ashraf

Rank: Advanced Member

Groups: Admin, Administrators, Developers, Registered, HelpDesk, Authorized User
Joined: 7/31/2019(UTC)
Posts: 77

Was thanked: 8 time(s) in 8 post(s)
7.0.0 is really old, and allowing to access downloads without any security is not a recommended approach, so it was fixed in later versions.


Though I do not recommend that, but I can point you to related code blocks and you can disable the authorization checks:

Code file: /Code/DownloadHandler.cs

We are validating the user access at two locations in the above file:


Line # 43
Code:
                    if (hasAccess)
                    {
                        DownloadHelper.SendFileDataToClient(context, digitalGood);
                    }
                    else Response.Write("You are not authorized to download the requested file.");





Line # 67

Code:
                        if (AbleContext.Current.UserId == order.User.Id)
                        {
                            ....
                            ....
                            ....
                        }
                        else
                        {
                            Response.Write("You are not authorized to download the requested file.");
                        }



You can disable these checks, recompile the website project. And after that your order digital-goods downloads will be accessible to everyone having a link.

Thanks.

Thanks for your support!
Naveed Ashraf
Ablecommerce.com
Developer Assistance Available
IDAutomation  
#9 Posted : Tuesday, September 8, 2020 11:27:28 AM(UTC)
IDAutomation

Rank: Member

Groups: Authorized User, Developers
Joined: 11/13/2018(UTC)
Posts: 23

Thanks: 16 times
Was thanked: 1 time(s) in 1 post(s)
Thank you, I understand that it's not the best plan security-wise, but we need a workaround for our resellers.
Naveed Ashraf  
#10 Posted : Tuesday, September 8, 2020 12:46:23 PM(UTC)
Naveed Ashraf

Rank: Advanced Member

Groups: Admin, Administrators, Developers, Registered, HelpDesk, Authorized User
Joined: 7/31/2019(UTC)
Posts: 77

Was thanked: 8 time(s) in 8 post(s)
A better approach is to use a security token in URL query string.

The security token may contain information about the order Id, and user id the digital good is associated with, in some encrypted format. The token information can be used for validation while downloading. This way it will not require a login, but it will not be possible to guess the digital good URL's only by changing the id value.

Thanks.
Thanks for your support!
Naveed Ashraf
Ablecommerce.com
Developer Assistance Available
IDAutomation  
#11 Posted : Tuesday, September 8, 2020 5:47:37 PM(UTC)
IDAutomation

Rank: Member

Groups: Authorized User, Developers
Joined: 11/13/2018(UTC)
Posts: 23

Thanks: 16 times
Was thanked: 1 time(s) in 1 post(s)
How would we do that? My skills with visual studio and coding is beginner at best.
Naveed Ashraf  
#12 Posted : Thursday, September 10, 2020 8:58:04 AM(UTC)
Naveed Ashraf

Rank: Advanced Member

Groups: Admin, Administrators, Developers, Registered, HelpDesk, Authorized User
Joined: 7/31/2019(UTC)
Posts: 77

Was thanked: 8 time(s) in 8 post(s)
Hi,

Here is a simple approach:

When generating a link for we should calculate a security token, based on "digital good id + order id + user id" information, and encrypt the data. This security token can be appended to download URL for example:

https:/www.teststore.com/download.ashx?Id=233&token=DF343JLJ343JL==

Now at download page we can authenticate that the URL is valid by recalculate the security token for the digital good and compare it with the provided token. If the token matches it means the URL is valid, as it contains correct information about the order id and user id. So allow the download, otherwise deny the access.

I suggest to get a developer assistance to implement it. It may take a couple of hours.

Thanks.
Thanks for your support!
Naveed Ashraf
Ablecommerce.com
Developer Assistance Available
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.