possibility for an anonymous user with a pin number to open the site

Hello!   This is just my beginnings with the Mendix platform but I would like to ask you about a certain thing. As part of the platform I am developing, I would like to introduce some functionality. Scenario: a user uploads content (images, videos, content, etc.) to the platform as part of a specific task. The user then needs to make these files available for viewing to an anonymous user (client) who could see this content without having an account on the platform - based on a specific link.   For example, a client under the link www.myplatform.com/f23nr29ff32 would have access to files that relate to this specific project so that he or she could view them and for example leave a comment accordingly.   However, this content should not be available before acceptance to other anonymous people (not connected with the project) simply having a link (eventually this content will be published on other platforms such as instagram and therefore on my platform it should only be seen and evaluated/accepted) so the client should be verified somehow.    I thought the best way to verify would be a 'login page' after following a specific link, where this non-logged-in user has to enter their email address and pin number. The link (or actually part of the link, in my example 'f23nr29ff32'), email address and pin should be entered into the system by the platform user (logged in of course) who shares this content with the client.   What is the best way to solve this so that the customer does not have to create an account on the platform every time, but at the same time a person who does not have this specific information (e-mail, pin) cannot see the page?   Of course, access to the page should be provided for every logged-in user (employee).   I would be very grateful for any ideas you may have!
1 answers

Hi Lukasz,


There is a Deeplink module https://marketplace.mendix.com/link/component/43 that allows you to generate the link. The link together with a pin (and encryption/decryption) can be used to link that link to a PIN. But, if not logged in to the system as a user, you can not add Microflow logic to prevent Anonymous users to download any file that is allowed to be read by Anonymous users. Of course, this requires some skills and knowledge of the system, but you can not prevent it if you build it like this.


You could create a cryptosystem that stores the files encrypted and in a Nanoflow, using the PIN/secret to decrypt it. It can be done with the modules in the Marketplace, like “Community Commons”. Or create a Java Action using the Apache Common Crypto. In that way, anonymous users can download encrypted files, but it will be useless to try to read them without the PIN/secret. But this makes the system store files multiple times if you need the file in multiple projects. 


If you create a large table that can be used as a lookup table from PIN to Secret, and use some part of the pin to identify the project, you could make it store each file only once and reuse it in multiple projects. This is less secure than the previous option, but will keep the file safe from disclosing without knowing your way of doing it (security by obscurity). Your way of doing it must be made available in a Microflow or Nanoflow and these Flows you should not expose to a button. Thinking of it, this is a challenge. Maybe it can be decoupled using a Task Queue, but I need to think a little longer on this concept (and build an example myself).


If you have the option to license the App, you would have all the functions to make it very secure, by giving files the context of a logged in user and his/her relation to projects etcetera.


DM me if you want to discuss this in an online session.


Go Make it.