Developer forum

Everything in /admin/public is not restricted.

Hi Nicolai,

I was sure this was the default implementation of this functionality. We have set it up based on Rapido.
What can we change in order to make this call restricted? I don't think it is ok to allow anybody to make a call to request an invoice.

Is there any best practice in setting this whole communication?

Thank you,
Adrian

Restricted how and for who? I think you need to do something custom.

Hi Nicolai,
This is a call from CustomerCenter integration when displaying the details of a document from NAV.
It is the standard implementation of the module, or at least the code that is shipped with DW.

I don't think it is a safe way of handling the request to NAV documents. The call to request a document should not be allowed for anonymous users.

NAV should make another check on the NAV side in order to ensure they serve the document for the right customer. But that's another story.

Would you agree with the above?

How do you usually do this kind of implementation on projects requiring to load documents from NAV?

Thank you,

Adrian

Well, the RequestExternalPdf.aspx can only return pdfs belonging to the user currently logged into Dynamicweb frontend. At least if you are using liveintegration.dll - so I am not sure I understand what you mean...

Hi Nicolai,

I am using LiveIntegration.dll.

Can you try this link, please?

https://dynamicweb.ces.nt.ro/Admin/public/CustomerCenter/RequestExternalPdf.aspx?type=Invoice&id=CES00000160&forceDownload=true

I have tried it in incognito and I could safely download the Invoice of that customer.

Which is something that should not happen in my view.

Please let me know.

Thank you,

Adrian

Hi Nicolai,

Did you have a chance to look into it? It seems pretty sensitive to me.

Thank you,

Adrian

Hi Adrian,
it will be fixed in tfs# 71644.
Best regards, Dmitrij

Hi Dmitrij,

Thank you very much for the confirmation.

Adrian