Delphi/C++Builder には PDFium VCL Component のワークフローを、Lazarus/FPC には PDFium LCL Component のワークフローを組み込み、表示、レンダリング、フォーム、印刷、プリフライトレポート、標準対応の検証をソースコード付きコンポーネントで実装できます。
この記事は teams showing sensitive PDFs inside line-of-business applications without granting full document-control features 向けです。secure PDF preview surfaces を単なるコンポーネント呼び出しではなく、本番向けのドキュメントエンジニアリングとして扱います。
実務上のリスクは a preview window can accidentally become a data-exfiltration surface if printing, saving, clipboard, links, attachments, and temporary files are not governed です。そのため、明確な契約、観測可能な診断、実際の顧客ファイルに近い回帰サンプルが必要です。
アーキテクチャ上の判断
Treat preview as a permissioned operation. which roles can open, print, save, copy, search, annotate, or follow links / temporary file location, lifetime, naming, encryption, and cleanup policy
- which roles can open, print, save, copy, search, annotate, or follow links
- temporary file location, lifetime, naming, encryption, and cleanup policy
- external link, embedded file, JavaScript, and attachment handling
- audit events required for open, close, denied action, print, and export attempts
実装フロー
Disable features by policy rather than hiding buttons. The order below keeps the workflow reviewable for Delphi and C++Builder teams.
- resolve the user's preview policy before the PDF is loaded
- open the document through a controlled stream or temporary file boundary
- disable and audit denied actions at the command layer, not only in visible buttons
- handle links, attachments, and scripts according to the preview profile
- clean temporary resources and write a session summary when the viewer closes
検証エビデンス
Security evidence for preview sessions. Keep these fields with the output or support record.
- user role, document classification, preview profile, and allowed action list
- denied commands, external target attempts, attachment attempts, and print requests
- temporary file path or stream mode plus cleanup result
- session duration, pages viewed when policy requires it, and close reason
Read-only UI is not the same as secure preview
Secure preview combines viewer permissions, application roles, document policy, link handling, attachment policy, temp-file control, and audit logging. The PDF renderer is only one layer of that surface.
Customer-visible behavior
Users do not see internal call order. They see whether the file opens, validates, prints, edits, imports, or gets rejected. The workflow should translate secure PDF preview surfaces results into states users can act on.
- resolve the user's preview policy before the PDF is loaded
- open the document through a controlled stream or temporary file boundary
- disable and audit denied actions at the command layer, not only in visible buttons
- keyboard shortcuts and context menus can bypass toolbar-only restrictions
- attachments and links may leak data even when save is disabled
secure PDF preview surfaces に関する技術レビューの注意点
これらのレビュー項目を使って、機能がデモ段階を超え、リリース、サポート、顧客エスカレーションの場で説明できることを確認します
- 判断: which roles can open, print, save, copy, search, annotate, or follow links. 実装上の焦点: open the document through a controlled stream or temporary file boundary. 受け入れ証拠: temporary file path or stream mode plus cleanup result. 回帰の引き金: watermarks should supplement policy but should not be the only protection
- 判断: temporary file location, lifetime, naming, encryption, and cleanup policy. 実装上の焦点: disable and audit denied actions at the command layer, not only in visible buttons. 受け入れ証拠: session duration, pages viewed when policy requires it, and close reason. 回帰の引き金: keyboard shortcuts and context menus can bypass toolbar-only restrictions
境界ケース
- keyboard shortcuts and context menus can bypass toolbar-only restrictions
- attachments and links may leak data even when save is disabled
- temporary preview files can remain recoverable if cleanup is not verified
- watermarks should supplement policy but should not be the only protection
Delphi / C++Builder の補足
PDFium Component should sit behind a small service boundary that receives files, streams, profiles, and credentials, then returns output paths, warnings, metrics, and validation status. 重要な用語には secure preview, read-only viewer, audit log, temporary file, attachments, policy.
Delphi コード例
次の Delphi スケッチは、このテーマに対する実用的なサービス境界を示します。ポリシー確認、ログ記録、検証を製品呼び出しの狭い部分の外側に置くと、ワークフローをテストしやすくなります。
procedure TSecurePreview.OpenReadOnly(const FileName: string);
begin
RequireAllowedLocation(FileName);
PdfView.LoadFromFile(FileName);
DisableSaveAndClipboardCommands;
RenderWatermarkedPage(1, CurrentUserName);
LogPreviewSession(FileName, PdfView.PageCount);
end;本番チェックリスト
- ワークフローは、空のファイル、通常の顧客ファイル、最悪ケースのファイルで実行します
- 生成された PDF は、対象のビューアー、検証ツール、プリンター、または downstream アプリケーションで開きます
- 製品バージョン、プロファイルバージョン、入力ハッシュ、出力パス、経過時間、警告数を記録します
- パスワード、証明書、一時ファイル、顧客データは明確な保持ルールの下で管理します
- 顧客ファイルが新しい境界ケースを示したら、回帰用ドキュメントを追加します
製品ドキュメント
追加のコード例
procedure TPreviewPane.PdfViewWebLinkClick(Sender: TObject;
const Url: WString; var Handled: Boolean);
begin
Handled := True; // never fall through to the default shell behavior
if (AnsiStartsText('https://', Url) or AnsiStartsText('http://', Url))
and HostIsAllowed(Url) then
OpenInBrowser(Url)
else
FAudit.LogBlockedLink(FDocumentId, Url);
end;procedure TPreviewPane.ExportAttachment(Index: Integer; const TargetDir: string);
var
RawName, SafeName, Ext: string;
Data: TBytes;
begin
RawName := string(Pdf.AttachmentName[Index]);
SafeName := ExtractFileName(RawName); // strips any path components
Ext := LowerCase(ExtractFileExt(SafeName));
if not FAllowedExt.Contains(Ext) then // allowlist, not blocklist
raise EPreviewPolicy.CreateFmt('Attachment type %s blocked by policy', [Ext]);
Data := Pdf.Attachment[Index]; // embedded payload as raw bytes
TFile.WriteAllBytes(
IncludeTrailingPathDelimiter(TargetDir) + SafeName, Data);
end;