Providing access to web application via unique link

Categories ASP.NET, PHP, Tutorials

Some web applications need to provide quick access to certain pages or documents. For instance, you can share a file via such a link or send a link to an invoice to be paid to your customer like the one on the screenshot below.

Let's see how you can implement this kind of link in your own project. The key is to create add a new text field to the table with invoices or documents that will store a long unique record identifier which will take a long time to guess. For practical reasons, this can be varchar(100) text field. In our example, this field name will hash.

And here is the sample URL that will provide the access to a single invoice:

invoices_view.php?hash=4f92e96540bc661ffaf9e63245342c486ca9e19

This is a two-step process. First, when we create a new record, we also need to populate the hash field with some unique value. And second, when someone opens a link like this, we

1. Populate hash field

In BeforeAdd event you can use the code like this:

PHP

$values["hash"] = generatePassword(50);

C#

values["hash"] = CommonFunctions.generatePassword(50);

There are many ways to generate a long random string, we use the built-in Runner's function generatePassword() but you can use any other method.

2. Process hash value when someone opens the link

In our example we provide access to the View page, so the code below needs to go to View page: BeforeProcess event. Make sure to use the correct table and field names like invoices and id.

PHP:

// hash is required for the GUEST user
if ( Security::isGuest() && !postvalue("hash") ) 
{
		echo "the hash number is required";	
		exit();
} 
	
if (postvalue("hash"))
{
	$data["hash"] = postvalue("hash");
	$rs = DB::Select("invoices", $data );
	$record = $rs->fetchAssoc();
	
	if(!$record)
	{
		echo "The hash number is incorrect";	
		exit();
	}
	
	$keys = array();
	$keys["id"] = $record["id"];
	$pageObject->setKeys( $keys );		
}

C#:

if((XVar)(Security.isGuest())  && (XVar)(!(XVar)(MVCFunctions.postvalue(new XVar("hash")))))
	{
		MVCFunctions.Echo("the hash number is required");
		MVCFunctions.ob_flush();
		HttpContext.Current.Response.End();
		throw new RunnerInlineOutputException();
	}
	if(XVar.Pack(MVCFunctions.postvalue(new XVar("hash"))))
	{
		data.InitAndSetArrayItem(MVCFunctions.postvalue(new XVar("hash")), "hash");
		rs = XVar.Clone(DB.Select(new XVar("invoices"), (XVar)(data)));
		record = XVar.Clone(rs.fetchAssoc());
		if(XVar.Pack(!(XVar)(record)))
		{
			MVCFunctions.Echo("The hash number is incorrect");
			MVCFunctions.ob_flush();
			HttpContext.Current.Response.End();
			throw new RunnerInlineOutputException();
		}
		keys = XVar.Clone(XVar.Array());
		keys.InitAndSetArrayItem(record["id"], "id");
		pageObject.setKeys((XVar)(keys));
	}
	return null;

3. View page permissions for GUEST users

Make sure that GUEST account has access to the invoice View page. This can be done via Static or Dynamic User Group Permissions.

This is it, you can now send your users links to individual invoices that they can access without logging in.

Leave a Reply

Your email address will not be published. Required fields are marked *