Local Network Queries

CAUTION: Use of this feature requires care to avoid allowing unwanted access to local server or network files. When using this feature, ensure that you are granting the minimum level of access needed.

About

On-premise versions of FormsViewer have the ability to give your forms access to local files and local network files by use of the following qRules commands:

  • DeleteFile
  • GetNetworkFile
  • ListDirectory
  • SaveToNetwork

See the qRules Command Builder in the Legacy Designer for details about each of these commands.

For security reasons, use of these features is opt-in — they are disabled by default, and must be configured to allow access to certain file locations.

Configuration

There are two ways to configure local query access. The first is the newer, recommended approach. The second is a legacy approach and not recommended unless specifically needed.

Configuration Style 1 - web.config

You can use FormsViewer's web.config file to specify which locations can be accessed.

Locate this section near the bottom of your FormsViewer web.config:

<localAccess enable="false">
  <paths>
    <path value="" allowRead="false" allowWrite="false" />
    <!-- add more <path>s as needed -->
  </paths>
</localAccess>

Hint: If you have upgraded from a version of FormsViewer that doesn't have this section, you can copy it from the stock web.config file included in the FormsViewer install package. Make sure to place it in the same location (directly within the <formsViewer> section).

Change the value of the enable attribute from false to true. This will enable the use of queries to locations specified within this section.

Within the <paths> section, use the value attribute to specify a path to which you want to grant access, and specify true in allowRead or allowWrite as needed. allowRead will allow the use of GetNetworkFile and ListDirectory. allowWrite will allow the use of DeleteFile and SaveToNetwork.

Example:

<paths>
  <path value="D:\sharedFiles\" allowRead="false" allowWrite="true" />
  <path value="D:\sharedConfig\" allowRead="true" allowWrite="true" />
</paths>

When access is granted to a given path, the above qRules commands will be able to access that path and child paths of it, so for example, the above grants access to D:\sharedFiles\, D:\sharedFiles\inProgress\myFile.txt, and so on.

Note: Paths allowed using this configuration style will be accessed by FormsViewer's app pool identity, which means that that identity must have access to the specified locations to actually access them. This also means that you can further control access by modifying the permissions granted to that identity.

Configuration Style 2 - Manage Credentials

The older, less recommended approach to granting access is to configure it using FormsViewer's Manage Credentials page.

Note: For security reasons, this configuration style only allows granting access to UNC paths (e.g. \fileshare\files), not to local file paths on the FormsViewer server.

To enable this configuration style, use the appSettings in FormsViewer's web.config to set the following setting:

<add key="AllowLocalAccess" value="true" />

Your web.config file may already have this line, within a comment section. If so, you can simply remove the <!-- and --> around it. If not, you can simply add this line within the <appSettings> section.

Grant access to specific paths by going to the Manage Credentials page and adding a credential set for each path. Specify the desired path in the URL field, and the domain, username, and password of the account that should be used to access the path in question.

As with Configuration Style 1, this will grant access to the specified paths and any children of those paths.

Note: Unlike Configuration Style 1, which accesses paths using FormsViewer's app pool identity, this approach involves specifying a set of credentials to access the path in question. This approach also does not allow specifying which paths are read or write access — both read and write access are implicitly granted to each path specified.