UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
 
   Reply to this topicStart new topic
> Followhyperlink - Need To Run As A Specific User, Access 2016    
 
   
chilladsi
post May 23 2019, 03:40 AM
Post#1



Posts: 14
Joined: 10-May 18



Our app is integrated with our email archiver (GFI) so we can display emails that we have sent / received to / from our customers.

We read the SQL db that sits behind the email archiver directly, and as part of that it exposes a list of file attachments that are related to a message. The email archiver allows you to access the attachments by way of a common local URL which takes some parameters to specify the attachment in question - e.g. : http://server/Archiver/attachment.aspx?connectionId=[DatabaseID]&ID=[MessageID]&aid=[X]

So currently we access this by using Application.FollowHyperlink to that URL which works OK.

However the email archiver security model means that the link will only actually work only if a user has access to another users mailbox - we don't want to allow everyone to see everyone elses mailbox obviously, so the plan was to create a master pseudo user which does have access to all, and try and use that user to access the URL. We already control programatically which emails are visible in our app so there should be no cross over into personal emails.

So the question - is there a way to make the FollowHyperlink call or Shell out or something similar to open the URL, but effectively "Run as...." this specific pseudo user?

Thanks.
Go to the top of the page
 
gemmathehusky
post May 23 2019, 06:59 AM
Post#2


UtterAccess VIP
Posts: 4,693
Joined: 5-June 07
From: UK


Would it matter if a user was able to open an attachment, without being able to read the email. Would a user be able to identify the attachment he wanted without seeing the email first.

In passing others have noted that environ("username") is not a safe way of determining a users identity, as this can be spoofed - so maybe it's possible to do this via that environ setting.
Alternatively, if you need to do this regularly, maybe the file privileges on some attachment files/folders could be set as less severe than others.

--------------------
Dave (Male)

(Gemma was my dog)
Go to the top of the page
 
chilladsi
post May 23 2019, 11:32 AM
Post#3



Posts: 14
Joined: 10-May 18



The security is internal to the email archiving software (although based on current user / AD) - the attachments aren't exposed as actual files, only via the URL.

The users access their own archives via that softwares interface - if we gave each user access to all others when they went in there they would see everyone elses emails including personal / sensitive ones.

In our app we query out the details of the relevant emails / attachments via the archives SQL db, this includes the URL.

When we follow the URL it just assumes the logged in users identity and does the check to see if they are allowed to view the attachments.

So if we can assume the identity of a different user when following the URL it should work (as long as we set that user up to view all).



Go to the top of the page
 
gemmathehusky
post May 23 2019, 12:20 PM
Post#4


UtterAccess VIP
Posts: 4,693
Joined: 5-June 07
From: UK


well maybe "spoofing" the environ("username") setting would work. Maybe some one can explain how for testing purposes.

--------------------
Dave (Male)

(Gemma was my dog)
Go to the top of the page
 


Custom Search


RSSSearch   Top   Lo-Fi    24th June 2019 - 04:15 AM