blob.ashx error 403 - Problem with attachments in latest version (8.7.1)

Hi guys, I haven't changed anything from the version 8.6 to 8.7.1, but now when I deploy an app I cannot see or upload files. The upload files create a record in the database without the file information and the view file gives me an error 403. Forbidden access.

I have a business rule setup and all works in the version 8.6.11 which I had to rollback, anyone having the problem or know what I should be looking for?

I am trying to debug the code but I haven't got anywhere with that yet.

The error information in the server is:
Error Summary
HTTP Error 403.0 - Forbidden
You do not have permission to view this directory or page.
Detailed Error Information
Module ManagedPipelineHandler
Notification ExecuteRequestHandler
Handler Blob_ashx
Error Code 0x00000000
Requested URL http://myserver:80/MyApp/blob.ashx?Fi...
Physical Path C:\inetpub\wwwroot\MyApp\blob.ashx
Logon Method NTLM
Logon User Mydomain\MyAppPoolUser
Most likely causes:
• This is a generic 403 error and means the authenticated user is not authorized to view the page.
Things you can try:
• Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.
Links and More Information This generic 403 error means that the authenticated user is not authorized to use the requested resource. A substatus code in the IIS log files should indicate the reason for the 403 error. If a substatus code does not exist, use the steps above to gather more information about the source of the error.
View more information »
10 people have
this problem
+1
Reply
  • Vivi,

    Are your blobs stored internally in the database or using a blob adapter? What kind of security are you using on your application?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Hi I use ASP.Net with Windows Authentication in the deployed app. But it also happens in the development environment which is pure ASP.

    I use the out of box feature from code on time (do have my business rule) storing it on the file system. It works perfectly in the previous version without changes, only upgrading my project from code backup to version 8.7.1 and it doesn't work. Nothing has changed in this part of the code.

    This error 403 happens when trying to view an already uploaded file and when you try to upload a new file the program goes into a loop, save the record in the database without the file information and doesn't resolve itself out having to reopen the page.

    I use VB with ASP for my project.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Vivi,

    Does the error go away if you use ASP.NET Membership?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • No, it doesn't even running with the admin account that is created by COT.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Hi guys, I have found the problem and the temporary fix. The problem lies in Blob.ash.vb line 790

    The line code is:

    If ((page.Rows.Count = 0) OrElse Not ((page.Rows(0).Length = (count + 1)))) Then

    Count is the count of filters, my page.rows().Length is different to that (15) against 1.
    Once I change the code to
    If ((page.Rows.Count = 0)) Then
    It all works. I will be reporting this to code on time support and hope that it will work in the next version
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • I have the same issue except I am using C# instead of VB, so your fix doesn't help me. Any thoughts on a solution COT support?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • It's almost as if the new release complete broke my Blob functionality. I have ASP.Net and word for word match the previous post:
    I use the out of box feature from code on time (do have my business rule) storing it on the file system. It works perfectly in the previous version without changes, only upgrading my project from code backup to version 8.7.1 and it doesn't work. Nothing has changed in this part of the code.

    This error 403 happens when trying to view an already uploaded file and when you try to upload a new file the program goes into a loop, save the record in the database without the file information and doesn't resolve itself out having to reopen the page.

    I use VB with ASP for my project.

    Except I use C# and have no solution
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Hi Mike, as you use C# I thought until you get a reply from them you could do with more information to where I managed to find the problem.

    The procedure is named ValidateBlobAccess which probably has the same name in C# and the problem I found is right in the end before returning false it is the part that compares the number of fields in the row with the count of the number of primary key fields (I think they got the wrong count to compare with there). So I commented out this part " OrElse Not ((page.Rows(0).Length = (count + 1)))) " and have been able to release a version to my users and it is working well.

    Just have in mind the code of Blob.ash.c will get replaced every time you push generate. So before publishing, push generate, go to VS check if your code is still there, if not put it on and then go ahead and deploy. It has worked for me. Just ensure you got a backup of the previous published version in case you have to roll back.

    I did open a support case and am waiting for reply, my support case is #11123

    Other problems I am having in the current version I have been able to do pretty much the same, my other problems are: Many to Many Fields that did not change in an update, delete all records on save. And there is another problem in the field value return which was causing issue copying the read only fields from lookup.

    The code in VB for the function to try and help you:

    Private Function ValidateBlobAccess(ByVal context As HttpContext, ByVal handler As BlobHandlerInfo, ByVal ba As BlobAdapter, ByVal val As String) As Boolean
    If Blob.DirectAccessMode Then
    Return true
    End If
    Dim key As String = context.Request.Params("_validationKey")
    If (((ba Is Nothing) OrElse Not (ba.IsPublic)) AndAlso (Not (context.User.Identity.IsAuthenticated) AndAlso Not ((key = BlobAdapter.ValidationKey)))) Then
    Return false
    End If
    Dim pr As PageRequest = New PageRequest(0, 1, String.Empty, Nothing)
    Dim config As ControllerConfiguration = Controller.CreateConfigurationInstance([GetType](), handler.DataController)
    Dim iterator As XPathNodeIterator = config.Select("/c:dataController/c:fields/c:field[@isPrimaryKey='true']")
    Dim filter As List(Of String) = New List(Of String)()
    Dim vals() As String = val.Split(Global.Microsoft.VisualBasic.ChrW(124))
    Dim count As Integer = 0
    Do While iterator.MoveNext()
    filter.Add(String.Format("{0}:={1}", iterator.Current.GetAttribute("name", String.Empty), vals(count)))
    count = (count + 1)
    Loop
    pr.Filter = filter.ToArray()
    Dim view As String = String.Empty
    iterator = config.Select("/c:dataController/c:views/c:view[@type='Form']", String.Empty)
    If iterator.MoveNext() Then
    view = iterator.Current.GetAttribute("id", String.Empty)
    Else
    view = Controller.GetSelectView(handler.DataController)
    End If
    pr.FieldFilter = New String() {handler.ControllerFieldName}
    Dim page As ViewPage = ControllerFactory.CreateDataController().GetPage(handler.DataController, view, pr)
    If ((page.Rows.Count = 0) OrElse Not ((page.Rows(0).Length = (count + 1)))) Then
    Return false
    End If
    Return true
    End Function
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated

  • It seems like this issue is tied to the changes made to FieldValue in the last several releases. The primary key is read incorrectly and the blob handler forms an incorrect URL. We will be pushing out a release that will resolve this issue shortly.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • The issue should be resolved in 8.7.3.0, which was just released today.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Hi Dennys, thank you for your reply, I have updated to version 8.7.3 and I still have the exact same problem with the exact same fix.

    This line
    If ((page.Rows.Count = 0) OrElse Not ((page.Rows(0).Length = (count + 1)))) Then

    Of Private Function ValidateBlobAccess

    Is trying to compare the number of fields with the number of primary keys, consequently causing the issue.

    If I change the line to the code below all works well:
    If ((page.Rows.Count = 0) ) Then ' OrElse Not ((page.Rows(0).Length = (count + 1)))) Then

    Sorry about that.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • I also update tot 8.7.3 and have stil the same problem
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • This reply was removed on 2018-06-14.
    see the change log
  • Vivi,

    Make sure to set the "Source Fields" on your blob field equal to the name of the primary key in your controller.
    • Hi Dennis, I appreciate your reply, what I can see is that something must have been changed in this function from version 8.7.0 to 8.7.1 and it is still there.

      iterator is loaded with a list of primary key fields. (Dim iterator As XPathNodeIterator = config.Select("/c:dataController/c:fields/c:field[@isPrimaryKey='true']") )

      do while will count "count" with the number of fields that are primary key as that is all the iterator has in its list. In my case count is always = 1 as I only have one PK.

      page.Rows(0).Length = Number of fields in the controller + 1 in my case always 14 fields in the controller + 1 (probably action column).

      ((page.Rows(0).Length = (count + 1)))) - in my case will always be negative making the function return false.

      Solution for this could be.

      iterator to load all fields so all hit the "count = count + 1"

      Inside the do while have an "if" that checks if the field is primary key then apply
      filter.Add(String.Format("{0}:={1}", iterator.Current.GetAttribute("name", String.Empty), vals(count)))

      This way you will have the number of fields to compare with the length of the row.

      In my database table I have the fields below:
      SELECT [FileId] - This is my PK
      ,[ModuleName]
      ,[ModuleId]
      ,[ContentType]
      ,[FileDisplayName]
      ,[FilePath]
      ,[FileLength]
      ,[IsConfidential]
      ,[IsScanWatcher]
      ,[Comments]
      ,[CreatedBy]
      ,[CreatedDate]
      ,[ModifiedBy]
      ,[ModifiedDate]
      FROM [dbo].[Files]

      I hope it makes sense and it helps in some way. Thanks for your support, I appreciate all replies I get from you Dennis.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • I have the same problem as well still and my Source Fields

  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • are the same as the primary key, as indicated by the picture attached.

    Sorry previous response got sent before I finished typing.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • My workaround right now, thanks to Vivi, is to generate, edit the file Blob.ashx.cs in Visual Studio by commenting out the 2nd half of line 823 in C#, then publishing. That works, for now.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • An issue has been discovered where the blob field is expected to be present in the edit form. A fix will be included in the next release, or use the linked hotfix. Replace the file at ~/Documents/Code OnTime/Library/Data Aquarium/Blob.ashx.codedom.xslt.

    https://drive.google.com/open?id=19OgWxYjneumjTSYs3MXQFc_-WvVGc0vo
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Hi Dennys, first sorry on the delay to test this. I have just today updated the version of code on time.

    Every time I put this file into the data aquarium folder, when I open the Code on time program it updates itself again and replaces the file back with the file that is shipped with the version. Am I doing something wrong?

    Thanks Vivi.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Having the same issue. Replacing the xlst file didn't solve the problem after regenerate.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • A fix for this issue will be included in the next release. The issue stems from the blob field not being included in the grid and edit form of your controller - add it back to the required views as a hidden field as a workaround.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • I also have similar issues, my picture blob is not rendred. This is the error I get from the developer console:
    HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it. GET - http://localhost:63700/blob.ashx?Stud...
    • Hi Ola, see one of my answers 8 months ago, there is a work around that works for me not sure if it works for you, the problem occurs on Private Function ValidateBlobAccess

      If I change the line to the code below all works well:
      If ((page.Rows.Count = 0) ) Then ' OrElse Not ((page.Rows(0).Length = (count + 1)))) Then

      If you now familiar with VB I have to comment the orelse and then it works and page.Rows(0).Length is different to count + 1. So it doesn't return false.

      The process is to generate, then open code and change that line, then it works again.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Thanks Vivi for this excellent by-pass. It solved all my blob issues.

    I'm just wondering why COT haven't solved this in the last 8 months. Obviously all their argument about "blob field should be in the grid..." is flawed.

    I haven't created a new project after 8.7.1 when this problem started, but the fact is clear that the blob changes introduced in 8.7.1 which is still operational is not backward compatible.

    I am not against new methodologies, but it is only fair to ensure backward compatibility because our business depends on this!
    We can't possibly restart a project that's consumed 100s of man hours.

    COT will you help us to put this behind finally?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • COT,

    Do you folks do regression testing? I'm not confident that you do
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Method Blob.ValidateBlobAccess validates the ability of the user to access the row with the blob.

    Also the blob field itself must be accessible to the user.

    Vivi,

    Do the following as instructed above:

    The issue stems from the blob field not being included in the grid and edit form of your controller - add it back to the required views as a hidden field as a workaround.

    Ola,

    You said: Obviously all their argument about "blob field should be in the grid..." is flawed.

    The idea of the validation code is to make sure that the user can see the blob if she can "see" the corresponding row and the blob field itself is available to the user in one of the views of the controller.

    Otherwise users without UI access to the data row and the field can download the content, which they are presumably not authorized to access.
    • view 1 more comment
    • Scott,

      Make sure you are using the latest version of the app generator (8.7.8.0)

      Please put the breakpoint in the method and identify why your app does not allow the user to the row.

      The method will remain in place in the future versions of the product.
    • I am using 8.7.8.0. I created a brand new project Northwind project, and I have the same problem. However, I believe the issue has to do with the using the previous upload code as shown here: https://codeontime.com/learn/upload-d...

      When I delete the rules, and configure the blob adapter as described here. it works. https://codeontime.com/learn/upload-d...

      This creates a bit of an issue for me as I used the custom code to see if a file exists, then rename it before saving the new file. This allows me to keep revisions of the files. I also store my upload location in my database to make it easy to change the location. So I'm not sure what I am going to do at this point.

      Scott
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated

  • I am in favour of a more secure system. It is not the fact that you're validating access rights that is the issue here. The issue is that some of us with legacy apps are suffering unintended consequences of the modification.

    When I said your argument is flawed, I meant the root cause of the loss of blob functionality in legacy apps is not "the blob field not in edit form". I can confirm the blob field is in the form and grid, and it has always been.

    If you say the "validate method will remain in place..." and you don't look deeper to identify why legacy apps are still not rendering blobs, you are simply hanging my business out to dry!!!

    I have tried the following:
    1. Created a new controller with a blob field in my legacy app, the blob does not render.
    2. I created a new app and added controller with blob field, it works perfectly.
    3. I ensured my blob is in the grid and edit form in my legacy app, yet it does not render.
    4. I used Vivi's workaround the blob renders perfectly in app but does not render in reports

    It appears there's a deeper issue you haven't identified, perhaps something to do with the legacy library from which the app was initially created.

    I have recently sent you my app and I'm ready to release the backend database to troubleshoot this issue, but please don't just conclude that "the blob should be in the edit form", there is a deeper issue somewhere else!

    Please SOS. thanks
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • 1
    I am having the same problem.
    I have noticed that it looks to only happen to my blobs (internal or External) that are on controllers that have "Select" Business rules. Since the directions for External uses a "Select" Business rule it happens all the time.

    Does that make sense to any one? Or do I have something setup wrong.

    Digging into the code.
    It looks like the following call to GetPage at the bottom of ValidateBlobAccess is suppose to return back the page limited to the fields added to the pr.FieldFilter.
    But if you have a "Select" Business rule it clears in on the 5th line of code in Controller.Core.DataControllerBase.IDataController_GetPage which looks to cause
    all the fields to come back instead of just the filtered list since when ApplyFieldFilter gets called later the filter has been set to nothing do it skips it.

    • That makes sense, I do have business rule select in my files as there is a flag in the database that the file may be confidential and then only administrators can see it.

      I am putting this as a note in my support case, I have logged the first call on June 06, 2018 12:47 and I still have the same issue, so if this can be solved it will make my life so much easier as at the moment I have to generate, change and then publish it.

      Thanks Joshua for further debugging code and spotting this as possible cause of the issue.
    • I can confirm that once I removed the "Select" command Business Rule (after I ensured that the signature blob field was present and hidden in each and every view and grid) it started working. Thank you for the work around. Fortunately I don't need that business rule anymore. Thx Joshua
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated

  • Gents,

    This issue has now been resolved as of 8.7.9. They have now moved ValidateBlobAccess into Application services.

    You only need to override ValidateBlobAccess and cause it to return true. Note that COT instructions says to return false, but only returning true makes it work.

    That completely solves the issue, no need to regenerate (thanks to Vivi for this workaround)

    Below is my override code.

    Public Overrides Function ValidateBlobAccess(ByVal context As HttpContext, ByVal handler As BlobHandlerInfo, ByVal ba As BlobAdapter, ByVal val As String) As Boolean
    Return True
    Return MyBase.ValidateBlobAccess(context, handler, ba, val)
    End Function
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Hi guys, just to update, I do have business rules for select and upload files, I am running version 8.7.10.0 and am still getting the same error message.

    My table has 15 fields, the filter is only counting 2, the ID and the ExternalDoc.

    Still the same work around.
    • Override the method ApplicationServices.ValidateBlobAccess in partial class ApplicationServices and return true in the implementation.

      The current implementation tries to ensure that user can see the Blob field and the row. We apply a field filter to limit the number of fields to include the primary key and the blob. A simple numeric comparison of the field count returned by the app is performed. If the number of the fields does not match then the framework assumes that you do no have access to the field and prevents access.

      The next release will include a fix for this issue.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Hi Vivi, re-business rules for upload and select, I'm not sure this implementation works in the current versions, I was told to use the blob adapters as described here https://codeontime.com/learn/upload-d....

    Reference my post at http://community.codeontime.com/codeo...
    Hold this helps.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Starting with the release 8.7.11.0 method ApplicationServices.ValidateBlobAccess ensures that user can access the row that contains the BLOB field. The field must also be accessible to the user. Otherwise access to blob is denied.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated