https://connect.hyland.com/t5/alfresco-archive/5-0-d-security-issue-with-internet-download-manager/m-p/282300#M235430 <HTML><HEAD></HEAD><BODY><SPAN>Hello,</SPAN><BR /><BR /><SPAN>if you don't want tools like IDM to be able to offer download to those types of restricted users, you must completely remove any potential URL reference to the actual document download from the page. This also includes disabling the PDF / document previewer which internally "downloads" fragments of the document for display and uses an URL reference that would allow full download. IDM very likely picks up this URL and provides the download option based up on that.</SPAN><BR /><BR /><SPAN>Regards</SPAN><BR /><SPAN>Axel</SPAN></BODY></HTML> Thu, 28 Jan 2016 09:07:36 GMT afaust 2016-01-28T09:07:36Z https://connect.hyland.com/t5/alfresco-archive/5-0-d-security-issue-with-internet-download-manager/m-p/282299#M235429 Hello every body,I made an alfresco 5.0.d new installation in windows server 2012 R2, i revoked the download action for site consumers, but for those who have IDM (internet download Manager installed in their browser), the browser promt for download the pdf file even if there is no download button.C Wed, 27 Jan 2016 17:09:02 GMT https://connect.hyland.com/t5/alfresco-archive/5-0-d-security-issue-with-internet-download-manager/m-p/282299#M235429 samirastucia 2016-01-27T17:09:02Z https://connect.hyland.com/t5/alfresco-archive/5-0-d-security-issue-with-internet-download-manager/m-p/282300#M235430 <HTML><HEAD></HEAD><BODY><SPAN>Hello,</SPAN><BR /><BR /><SPAN>if you don't want tools like IDM to be able to offer download to those types of restricted users, you must completely remove any potential URL reference to the actual document download from the page. This also includes disabling the PDF / document previewer which internally "downloads" fragments of the document for display and uses an URL reference that would allow full download. IDM very likely picks up this URL and provides the download option based up on that.</SPAN><BR /><BR /><SPAN>Regards</SPAN><BR /><SPAN>Axel</SPAN></BODY></HTML> Thu, 28 Jan 2016 09:07:36 GMT https://connect.hyland.com/t5/alfresco-archive/5-0-d-security-issue-with-internet-download-manager/m-p/282300#M235430 afaust 2016-01-28T09:07:36Z https://connect.hyland.com/t5/alfresco-archive/5-0-d-security-issue-with-internet-download-manager/m-p/282301#M235431 <HTML><HEAD></HEAD><BODY><SPAN>Thank you Axel for your reply,</SPAN><BR /><BR /><SPAN>What if we use a SWF previwer instead of the pdfjs ?</SPAN></BODY></HTML> Thu, 28 Jan 2016 15:41:42 GMT https://connect.hyland.com/t5/alfresco-archive/5-0-d-security-issue-with-internet-download-manager/m-p/282301#M235431 samirastucia 2016-01-28T15:41:42Z https://connect.hyland.com/t5/alfresco-archive/5-0-d-security-issue-with-internet-download-manager/m-p/282302#M235432 <HTML><HEAD></HEAD><BODY><SPAN>The SWF previewer would likely still result in IDM providing a download option, but the downloaded file will be a reduced quality rendition of the original document.</SPAN><BR /><BR /><SPAN>Technically, as long as you expose any previewer capability, IDM is likely to provide something to download. Even if that is only a rendition, the URL provided can be manipulated by users to still download the original document. Everything you are doing to restrict the ability of download is only UI focussed. Technically, if a user has READ access to a document inside Alfresco and is somehow able to piece together the URL to it, they can download it (the URLs aren't that complex either).</SPAN><BR /><BR /><SPAN>Regards</SPAN><BR /><SPAN>Axel</SPAN></BODY></HTML> Thu, 28 Jan 2016 16:54:58 GMT https://connect.hyland.com/t5/alfresco-archive/5-0-d-security-issue-with-internet-download-manager/m-p/282302#M235432 afaust 2016-01-28T16:54:58Z