Integrations and APIs for Service

Get Involved. Join the Conversation.


    Pathaksa Tongpitak
    Exposing File Attachment URLAnswered
    Topic posted September 16, 2011 by Pathaksa TongpitakSilver Medal: 2,000+ Points, last edited February 8, 2012 
    5881 Views, 31 Comments
    Exposing File Attachment URL

    I'm trying to fetch the File Attachment URL of a Contact but it returns an empty value.

    However I do get a value when I fetch the ID.

    Am I missing something?

    Code Snippet:

    Best Comment

    Ryan McCullough

    Note in the documentation:

    That it says:

    NoteIn order to use the getAdminURL() method the initConnectAPI() has to be called using a valid username/password. For example: initConnectAPI('connect', 'connect');


    • Allan Schrum

      Hi Diane,

      In general, reading the file attachment contents on the server is not permitted at this time (as previously mentioned). What release are you operating upon? Relatively recent system now support Custom Objects and Custom Fields that support significant improvements. Also, why is the email content placed as an attachment? Could it be diverted to the incident's thread instead? Or perhaps (if your version permits) placed into a custom object for future processing?



    • Austin Clerkin

      @Diane: maybe CURL would do it? CURL is used in the standard chat model to connect to the RightNow chat servers if https is enabled. I haven't tried using CURL for a machine to connect to itsself over HTTPS, but perhaps this is possible?

    • Ashley Wilson

      I'm logged in to the API with a valid username & password, but get the error

      Admin URL Unavailable: Session information unavailable: Incident(ID=123456).FileAttachments[0].URL

      The attachment is not set as private. Here's the code:

      use RightNow\Connect\v1 as RNCPHP;
      require_once( get_cfg_var("doc_root") . "/ConnectPHP/Connect_init.php" );       
      try {
          initConnectAPI('username', 'password', null, RNCPHP\ConnectAPI::AuthOptTransient); 
      } catch (Exception $e) {
          echo $e->getMessage();
      $incident = RNCPHP\Incident::fetch(123456);
      if(count($incident->FileAttachments) > 0){
          try {
              $fileUrl = $incident->FileAttachments[0]->getAdminUrl();
              echo "URL: " . $fileUrl;
          } catch (Exception $e){
              echo $e->getMessage();
    • Allan Schrum

      All incident file attachments are implicitly private. The getAdminUrl() requires a session ID in order to allow that link to be created. The use of AuthOptTransient says, "login but do not create a session ID". Hence, the problem you see. If you remove the transient login option then the session would be available to getAdminUrl() to create the link you need.



    • Ashley Wilson

      Hi Allan,

      I have the code generating the url and I can download the file on the portal, but now I want to give that URL to be made available to people who aren't logged in to RightNow.

      I've come to know that the 


      file which handles the download requests can also take p_sid & p_file_id parameters, which are the session & file ids respectively (instead of the p_parms parameter that getAdminUrl() generates). How do I get that session id?

      generate_session_id() cannot be called from my code, neither can I use CodeIgniter's session class because apparently it cannot be loaded into my page, and there are no mentions of functions related to session handling in the Connect for PHP docs. Please help...

      Many thanks,
      Ashley Wilson

    • Ashley Wilson

      Update from RightNow customer support:

      Unfortunately, the answer is that our documentation is incorrect in stating that file_get_contents can be used with file attachments. This is not currently possible, due to our security configuration. There is a project currently underway to allow for server-side access of files, but this functionality has not yet been released. I apologize for the inconvenience caused by this documentation oversight.
      A potential workaround would be to implement functionality that would copy the attachment to the tmp directory, and then access it using file_get_contents. If you'd like help setting something like this up, Oracle/RightNow Consulting may be able to assist with this project.
      Thank you for bringing this incorrect documentation to our attention, we will be updating it to reflect the correct usage of getAdminURL().

      (Our RightNow version is August 2011)

    • john sheflin



      Is this safe to use in production?

      example: initConnectAPI('connect', 'connect');

      Is there any other way to access file attachments?

      Should this be in a custom controller, or can it be on a regular CP view page?



    • Ashley Wilson

      @John Sheflin   Did you mean server-side access, or access via a download link? After our site upgraded to August 2013 version, the link generated by getAdminURL() seems to be working outside of the portal.. This is just in my local testing, haven't tested on our production site..

      The getAdminURL() function generates the link to download, and whether you use it in controllers or view pages depends on what you're using that link for and how you want to implement it. Should work either way.

    • john sheflin



      Thanks for responding.  What I mean is a download link for contacts who login to our CP.  I want to show specific contact attachments (sorted by description) to the contact and allow the contact to download.

      Is it a security risk to have the connect username and password on a CP page, open to whomever can login?

      Is there any other way to show and allow download of contact attachments to the logged-in contact?


    • Ashley Wilson


      You'd be looping through the attachments to the contact who is logged in, and only using the login to generate the URLs. I wouldn't think of this as a security issue. While I haven't generated links for contacts myself, this should be possible. Please do report back with the results.

      By default, incident attachments are available for download through the 'My Account' page, but contact attachments are not accessible that way.

    • john sheflin



      I am able to show specific contact attachments, but the getAdminURL() requires I write my username and password like:


      initConnectAPI('connect', 'connect');


      Otherwise, I get:

      Uncaught exception 'RightNow\Connect\v1\ConnectAPIError' with message 'Admin URL Unavailable: Session information unavailable; Contact(ID=***).FileAttachments[-1].URL'

      Any ideas around that?




    • Ashley Wilson

      Results of implementing off-portal access to URLs generated by getAdminURL():

      • New attachments to existing or newly created incidents can be downloaded without issues.
      • Attachments which were added after our upgrade to August '13 can be downloaded without issues.
      • Not all attachments get successfully downloaded via the links. In my testing, attachments which were added before our upgrade from August 2010 to August 2013 are downloaded as empty (0 kB) files. We consider this a trivial issue, and have added the download feature to our production systems regardless of this issue.


      I think the requirement for authentication is so that activity on the incident can be tracked. Any particular reason you would like to avoid that? As you probably know, the auth is a generic one for API use, not user-specific..

    • john sheflin



      I'[m sorry,  I don't know what you mean.  You said "the auth is a generic one for API use"?

      Where does one get that?

      I would be happy to try something else in the initConnectAPI('connect', 'connect');,but if I leave it blank, I get that error.



    • Ashley Wilson


      The  login credentials of the RN account (as opposed to customer account)  you're using ('connect') can be hardcoded into your view/controller, as it doesn't need to change according to who is logged in to the portal (a customer). So I would consider that a non-issue for security, as only people with access to WebDav would see that, which would be the CRM team at your organisation. Is there any particular reason you would like to avoid using 'connect' ?

      Of course, the permissions to the particular account can be locked down to only give access to the particular objects you want that view/model to modify/access.

    • john sheflin



      Thanks for your time.

      The Right Now people say it's bad security to have my credentials anywhere.  Good call on the object specific access, but that costs us a seat.

      What was proposed to me by consultant from 45north was to use the custom config to store the password, so I'm going to try that.