search

SuffolkLITLab / docassemble-MAVirtualCourt

Project which currently holds code for the Doc Assembly Line project, including dependencies for actual interviews.
Other
7 stars 5 forks source link

TRO (maybe all): Can't open PDF link when not logged in/not in same browser session #147

Closed plocket closed 4 years ago

plocket commented 4 years ago

Survey result on row 48

Report type: I'd like to describe a test case.

Bug

Question Answer
Question
Actions
Expected
Actual
Feedback

Confusion feedback

Question Answer
Question
Confusion
Feedback

Something else

Uncategorized Feedback:

Test report

Question Answer
Link to spreadsheet: https://docs.google.com/spreadsheets/d/1C-2czKc8hCYuIYZwFmqLrZbxmVKtI44he0y_Fd7PNVA/edit#gid=0
Test id Housing TRO, Case 3 - Interview row: 40
Tester @MelanieRush
Input Right click, click save as, save the pdf
Expected The pdf should save
Actual Using my iPhone, the PDF did generate. But when I tried to email the PDF to myself, it sent me this link (https://apps-dev.suffolklitlab.org/uploadedfile/2778/Housing_TRO.pdf) that led to a page that said "File not found." I was was similarly unable to text the PDF to myself, because it generated the same link. When I tried to click the save as PDF button on my phone and when I tried to save the PDF to my iCloud account, a blank white PDF was saved.

I had to download adobe acrobat for my iphone in order download and examine the PDF, and then it finally worked. Link | Pic | https://drive.google.com/open?id=1EV4Fb6a-j2QPeMFgtRNkHbGpAQyIGPWa Notes | The document I uploaded was what was saved to my iCloud account.

Error message

Thank you!

nonprofittechy commented 4 years ago

I think this is the issue: https://docassemble.org/docs/documents.html#permissions

I've never run into this before. I have no problem opening up the link you sent me because I'm logged in as an administrator. You should have no problem opening it up in the same browser that you used to create the attachment. The problem is opening it up from a different browser/not logged in. If I try to open it in icognito mode, I get the same error you received.

I think this behavior is probably correct. It would be easy for someone to guess that link, and it would not be safe if people tried to download, e.g., the confidential information page by generating 4 sequential numbers.

We need to figure out how we want to handle this. We could turn off file permissions so anyone with the link can view it, but I don't think that's safe. We could recommend people log in to a session, or we could recommend they use the email link on the screen, not emailing themselves a link to the PDF using the iPhone's browser method of opening the PDF.

Can we confirm that:

  1. You can open the PDF if you're logged in to an account on the Docassemble server when you create the PDF or immediately afterwards. Let's try the phone login.
  2. If you put your email into the input at the bottom of the screen, you receive an email with the file as an attachment, and you can save/open that normally.
nonprofittechy commented 4 years ago

It occurs to me that we could also make the filename more unique by adding a GUID of some kind to it, but that would make the download file slightly less friendly. It could add enough security to make it safe though.

nonprofittechy commented 4 years ago

One suggestion is to add text that says "If you have problems downloading this file, use the send to email link below to send yourself the form".

plocket commented 4 years ago

Working on getting a reproduction of the issue, but it currently looks like might have to do with the OS version.

nonprofittechy commented 4 years ago

I don't think this can be considered a showstopper yet--let's please reproduce it first!

colarusso commented 4 years ago

I agree with @nonprofittechy, I couldn't reproduce on my iPhone. My guess is that it may have to do with the iOS change to how it saves files a few versions back. That being said, if this is the issue, the workaround @nonprofittechy suggests should do the trick. See https://github.com/SuffolkLITLab/docassemble-MAVirtualCourt/issues/147#issuecomment-625247416

plocket commented 4 years ago

Two more reports of similar behavior, but without many details.

For the first: "When I tried to save the document using safari I got a blank pdf"

For the second, the browser used was Chrome, but there were no more details.

Trying to get further information.

plocket commented 4 years ago

The problem with Safari happened when the link to the interview was clicked in Slack. Whether that was the cause or not is unclear.

nonprofittechy commented 4 years ago

Anonymous links do not work. This is a security measure

I'd really need to understand a real use case that justifies disabling it. It sounds like this is an artifact of the test

On Sun, May 10, 2020, 8:27 AM plocket notifications@github.com wrote:

The problem with Safari happened when the link to the interview was clicked in Slack. Whether that was the cause or not is unclear.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/SuffolkLITLab/docassemble-MAVirtualCourt/issues/147#issuecomment-626320531, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2KTSMUPOB2Y4MHG7B3FQLRQ2MR5ANCNFSM4M26K3CQ .

nonprofittechy commented 4 years ago

This keeps getting re-opened, but now I think I have a little more clarity that it's because we distributed links with &reset=1 embedded, which made it easy for people to delete an existing session.