Displaying PDF's Securely

Anvil Q&A
1

I’m trying to achieve two related things.
For context, I’m using the cloned example from here in my own app:

  1. Extending from the above, what’s a good way to authenticate so that only the authorised user can see their own files? It looks like it’s just a url that any client can read, so there’s nothing stopping one from randomly typing filenames in the browser until something hits and they can read another user’s files.

I’ve temporarily worked around this right now by adding a uuid to the file, so that the URL is matched only to the uuid. Not foolproof, but more improbable. Any more secure examples to extend from the above code?

  1. I want to upload a new file using the FileLoader - and I haven’t commited the changes to the database yet. In this un-uploaded, client-side state, how can I show the preview of the recently-uploaded file? Given the above example, it looks like a URL is needed? Is there a way to do this with unsaved files in the FileLoader? Or perhaps there’s a whole different way to achieve the above without the use of URL’s?

Worked examples in a clone-able workspace are much appreciated, if possible!

2

If you generate the UUID at download time, then it becomes impractical for anyone to get it by accident or brute force. The link is valid only for that one download, and only inside that browser session. As soon as you remove the link from the page (which should also occur on user logout), the link is useless.

3

For 1, the brute-force is impractical indeed. Haven’t looked into making it not persist after the session yet. Will need to think on this a little…

I’ve found a solution for 2, pasting here for posterity:

def file_loader_change(self, file, **event_args):
    with anvil.media.TempUrl(file) as url:
        print(url)
4

Not entirely related to OP’s issue, but why does the viewer not display page controls when viewing on a mobile device?

When opened in iPhone, only the first page of a PDF is displayed with no option to switch pages.