Closed (fixed)
Project:
Ubercart Marketplace
Version:
5.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Support request
Assigned:
Unassigned
Reporter:
Created:
2 Jul 2008 at 02:41 UTC
Updated:
8 Jul 2011 at 06:50 UTC
Jump to comment: Most recent file
Comments
Comment #1
Turgrid commentedThanks TC44...I really appreciate your efforts in looking into Ubercart Marketplace.
You are indeed correct regarding seller file downloads. Unfortunately, product features (such as downloads) in Ubercart lack the permissions necessary to allow sellers to manipulate them. The current state of uploading files to be sold requires using the file manager in the administer store section of Ubercart or an ftp transfer utility. Seller access to either of these methods would be unsafe.
With that said, this is the primary feature on my TODO list. I have begun brainstorming this feature extensively. If you have advice on an implementation or an idea of how you would want this functionality to look, please let me know. I would definitely like to see this feature included in Ubercart Marketplace.
If you are unaware, I believe the best workaround at the moment is to allow sellers to attach a file to the product nodes (using the Drupal upload module) and then manually attaching the download as a product feature upon submission by seller.
Thanks and feel free to ask more questions or comment.
Comment #2
TC44 commentedHi Turgrid,
Great, just wanted to get clarification on that.
Yes, allowing them to attach the file was the method I was going to use. I think this may actually be better (and certainly safer) in the sense that it allows for site owner screening and verification of the files anyway, so I think it's a good workaround without too much hassle.
I'll let you know how it goes. Your timing in bringing this out was perfect for my situation.
Cheers
Comment #3
torgospizzaI am onboard with this as well. Matter of fact, I'm looking into integrating some of my work with a custom module for Marketplace. The main thing is, we expect our Customers' products to include large files (anywhere from 10 MB to 300MB) and using the normal File Attachment method might prove problematic for such cases. As a result I'm integrating SWFUpload into our custom Upload form (which until now had been integrated into a custom tab in My Account.
I'll keep a watchful eye on the changes here, and let me know what you envision for the current File Downloads management. I agree that the permissions are lacking for such fine-grained product creation; you'll see that I have posted a couple topics on Ubercart.org regarding this very issue. Hopefully that's something that can be resolved in the core modules going forward :)
Comment #4
Turgrid commentedThat's great to hear torgosPizza!
I coded together a working file download system for sellers in BETA1. As it is based on the filefield module, it won't have the power of your system, but it is a work in progress / suggestion.
It needs to be configured in store configuration -> seller settings. It is built on the idea that marketplace stores will use some sort of moderation system such as modr8 and revision moderation combo, although it does support inserting file downloads directly into product feature. If moderation is used, the admin can simply go to product page and check "commit to product feature" that appears next to filefield and submit product form and mp_file will automatically handle moving the file to the appropriate directory and creating feature and then deleting the file from files directory for security purposes.
I am really not sure how I envision a file download management system. Other than this simple approach, I lack strong ideas.
I look forward to your ideas/contributions and your thoughts on this. Thanks for your testing so far.
Comment #5
torgospizzaJust got to testing this - I don't think the current solution will work. Well, let me rephrase - the implementation of filefield is good. I just think that the location of the files should be in a more secure location than just /files. Since that folder is viewable to the public, it wouldn't take much to have a user just going in and grabbing all the files that he knows are in there without having to pay for them.
So I'd suggest another config system, perhaps one that piggybacks on the uc_file.module's usage - you could even use those params as a starting point. The "customer products" folder could be one within the specified download folder, allowing the admin to keep everything in one place. That way you can potentially still leverage the uc_file system of assigning files to products, as well as the mechanism for downloading files.
If this doesn't make sense let me know and I can extrapolate further.
Comment #6
Turgrid commentedI think I know what you mean and agree that that would perhaps be a stronger approach.
I think, however, that my current implementation could be made (and is) reasonably secure. I had this in mind as I built it. Here is what I was thinking: create a subdirectory in /files directory named something long and random. Tell filefield to use that sub directory. Because of the measures I took to hide the url where the file is stored, users will never know what directory to look in for other products' files. Notice that, for the admin, the url appears in the filefield form. When an admin is not logged in, it is hid. Also, because the file is deleted once the admin approves the product (or it is automatically approved if that setting is chosen), the file would only be present for a short period.
While this may be potentially hackable (in extreme cases), I am not sure I have the time to dig into your solution (although it is a great suggestion). If I get time, I will look into it and see what I can do. I may have questions at that point as to the implementation you had in mind. Thanks for testing and your ideas.
Comment #7
torgospizzaHello -
Unfortunately, even creating a long, random folder name would not really deter someone who wanted to gain access. (Granted this is more of a "team effort" of leaching, much less a variation on 'hacking' the system.)
User A buys product Y, for $10.
User A can then post the file download location to their favorite file-sharing message board.
Users B, C, D, and E all download that file from the location User A posted, because there is no protection - since the files folder is viewable to all.
The only way to avoid this in this same case, would be to create a rules table the same way uc_file.module has done - something along the lines of uc_file_users, where it keeps track of the IP addresses involved, and restricts the user to a certain number of downloads, etc.
To be honest I think much of the uc_file.module can actually be leveraged in this case. It's something I could look into for you and possibly contribute some code for. The beauty is that the hard work is already done, we just need to leverage it for your module. This includes a) the "addition" of files to the products, b) the "granting or denying access" system, and the final "download / stream the file to the browser" method. This would be the easiest way to go if you want to provide a secure method of allowing users access to the Marketplace downloadable products.
I've got some experience in tinkering with that file downloads module, so I'd be more than glad to lend a hand.
Comment #8
Turgrid commentedThanks for the offer to help.
I think I may have explained my mp_file contribution wrongly...your example case would not work with my system. The filefield module and mp_file are used to "hold" the file temporarily until an admin checks the "commit file to product feature" checkbox on the filefield form and presses submit. The file is then copied from the /files/longrandomname directory to the file downloads directory as specified by uc_file setting. The file is then deleted from /files/longrandomname directory and can no longer be accessed from the product edit form (as a filefield). At this point the download is in every way a "regular" product feature file download, protected by uc_file. When a purchase is made, the download will be in the directory chosen and masked by uc_file, as normal. No user will ever know the /files/longrandomname directory even exists. I hope I explained this properly and didn't miss an aspect of security in my module or explanation. If needed, see attached annotated screenshot.
If this is still not quite what you are looking for, I would be grateful if you would contribute. Thanks for your efforts and thoughts.
By the way, thanks for submitting finer-grained permission patches to Ubercart core...I hope to get around to sending some of my own advice on permissions to core for next version that will assist with Marketplace.
Comment #9
torgospizzaHey, that sounds fine then - consider my words eaten. :)
Regarding the permissions, yeah, that's something that I had posted in the UC forums a while back but didn't get any developer feedback on. Hopefully the patch will make it easier for them.
Comment #10
TheOldGuy223 commentedIs there any new development on this issue? just wondering cuz I could really use it thanks.
Comment #11
Turgrid commentedWhat exactly are you suggesting needs further development? Feature suggestions are welcome. The seller file system in Marketplace is simple, but complete. Thanks.
Comment #12
TheOldGuy223 commentedactually, I didnt realize it when I was reading through the threads, but what I was asking was already implemented via the "allow seller to commit files" option.
However, I cant seem to get it to work. This is my set up...
I select the allow seller to commit files option. Also I called the name of the product filefield "files". Now I went to content types/products and added a filefield with the label the same called "files" Now the seller can upload files through the file feild however, when the customer buys the item, the file is not available to them. I tested it out if I went to the features section and did it that way and it worked fine except that I cant give sellers permmisions to access that page. So what am I doing wrong with this set up. Thanks.
btw I cant even begin to thank you enough for this wonderful module...It saved my start up company a lot of money in development. It really is an amazing peice of work.
Comment #13
TheOldGuy223 commentedAlso some features that might nice would be a file field called accompany product files. Files that accompany the main download but are sorta like extras. This would be released upon checkout. Then a preview files field to download preview files these could be downloaded without paying.
Also the ability to give every user their own folder that they could upload files into. They could do this via filefield on a serperate page maby. Then in the create products page it would have a box that displayed all the files in that directory where all they would have to do is select wich ones they want to the product and then hit add.
Just some ideas and again thanks very much
Comment #14
Turgrid commentedThose are some very strong and good ideas. Thanks for your contribution. I will keep then in mind for a future release.
Comment #15
torgospizzaTurgrid, I've overhauled the file downloads section quite a bit, but mainly for our own use. If you get time, please let me know so I can show you what we've done. Essentially we are providing a service where users can upload files (video and audio) which are later transcoded to our specifics - if necessary. That whole bit is of course not needed for the larger module, but we needed to make some customizations which allow for the following:
- Extremely large files (we went with SWFUpload - the library, not the Drupal module)
- Keeping files organized by user - for this we used the callback function invoked by the uploader to check if the user's dir exists, and if not, create it
- Allow for committing of files and replacing them if needed. This works the same way yours does - when a file has been uploaded, it's added to their encoding queue. Once it's encoded it's in a table of files that are "able to commit" - this is where a user clicks a link and the file is committed to a product feature. However they can replace the file by uploading a replacement, and once the replacement is "able to commit" they can click a "replace" link on the original file, which takes them to another form. The form has any viable replacement options listed; the user selects which file they'd like to replace the current file with, and upon hitting submit, the files are swapped in the database, and any users who had previously purchased the old file will see the new one in its place.
There's a lot more to it than that but I'd be more than happy to clean it up and share it with you. I'm not sure there is much you could reuse from it, but it's always neat to see what others are doing.
Comment #16
Turgrid commentedThat sounds unbelievable! Awesome work. There appeared to be many unsolved critical issues for the swfupload drupal module, so I stayed clear of that solution for my simple implementation, but if you implemented the swfupload library, wow! I wouldn't mind taking a look at the work you have done and getting inspiration from it or abstracting it for Marketplace. If you would be willing to show me some of what you have done, send me a pm sometime and we can discuss (I probably won't be able to sit down and give it serious thoughtful pondering for a little while, so take your time - I can otherwise get back to you when I am working on Ubercart related things). Thanks so much.
Comment #17
TheOldGuy223 commentedAnother Idea that came to mind is the ability for the commision module to track how much a seller has sold but instead of paying the selling after every sold asset to wait till the admin hits a button to pay the seller in one lump sum. This way if there is any issues with the product within say for example 7 days of the purchase the admin can issue a refund without loosing money becuase the seller had already been paid.
Comment #18
Turgrid commentedthet0olman, what you describe is exactly the way Marketplace currently works. Under store administration >> reports >> seller reports, you can make payments in "lump sums" for any specified periods of time.
Comment #19
torgospizzaTurgrid,
I'd love to show you a walkthrough of the module in action (it works incredibly well) and let you peek at some code. It was developed by myself and another coder at my office, who is traditionally a C# and Java guy - which means the code itself is pretty complex, but it is fairly easy to follow. Since there is a lot involved I might take a look at it and see if we can break it up a bit.
Anyways thanks for your continued development on this method. We'll be launching the customer products version of our site in late October.
Comment #20
Turgrid commentedThanks. That sounds great and very interesting. Your very welcome for my development. Good luck with your customer products and I can't wait to see some marketplace action put to good use. So as not to disrupt your development, perhaps you can give me a "tour" in late October.
Comment #21
TheOldGuy223 commentedoh ok I didnt realize that, i thought it did it automatically after each sale. Im still in the process of implementing the store so cant wait to test it out publically.
Comment #22
syndicateStorm commentedOther than SWFUpload this issue appears to have been addressed. For further discussion of SWFUpload go to http://drupal.org/node/718362.
Comment #24
msbjhandeer commentedif you want your files to be copied to your download directory automatically without committing it there. then go to seller setting and check allow seller to commit files and uncheck show commit feature checkbox. this way u wont have to do anything.