LlosLab Software Development BlogTekniska anteckningar för utvecklare av PDF-, Delphi- och dokumentprogramvara.

Teknisk artikel

PDFium Component: secure PDF preview surfaces in Delphi

PDFium Component

Integrera PDFium VCL Component-flöden i Delphi- och C++Builder-applikationer, eller PDFium LCL Component-flöden i Lazarus/FPC, med källkodskomponenter för visning, rendering, formulär, utskrift, preflight-rapporter och standardinriktad validering.

Den här artikeln är skriven för teams showing sensitive PDFs inside line-of-business applications without granting full document-control features. Den behandlar secure PDF preview surfaces som produktionsnära dokumentteknik, inte som ett isolerat komponentanrop.

Den praktiska risken är att a preview window can accidentally become a data-exfiltration surface if printing, saving, clipboard, links, attachments, and temporary files are not governed. Därför behöver flödet ett skrivet kontrakt, observerbar diagnostik och realistiska regressionsfiler.

Arkitekturbeslut

Treat preview as a permissioned operation. which roles can open, print, save, copy, search, annotate, or follow links / temporary file location, lifetime, naming, encryption, and cleanup policy

  • which roles can open, print, save, copy, search, annotate, or follow links
  • temporary file location, lifetime, naming, encryption, and cleanup policy
  • external link, embedded file, JavaScript, and attachment handling
  • audit events required for open, close, denied action, print, and export attempts

Implementeringsflöde

Disable features by policy rather than hiding buttons. Ordningen nedan gör arbetsflödet granskbart för Delphi- och C++Builder-team.

  1. resolve the user's preview policy before the PDF is loaded
  2. open the document through a controlled stream or temporary file boundary
  3. disable and audit denied actions at the command layer, not only in visible buttons
  4. handle links, attachments, and scripts according to the preview profile
  5. clean temporary resources and write a session summary when the viewer closes

Valideringsbevis

Security evidence for preview sessions. Behåll dessa fält tillsammans med utdata eller supportunderlaget.

  • user role, document classification, preview profile, and allowed action list
  • denied commands, external target attempts, attachment attempts, and print requests
  • temporary file path or stream mode plus cleanup result
  • session duration, pages viewed when policy requires it, and close reason

Read-only UI is not the same as secure preview

Secure preview combines viewer permissions, application roles, document policy, link handling, attachment policy, temp-file control, and audit logging. The PDF renderer is only one layer of that surface.

Kundsynligt beteende

Användarna ser inte den interna anropsordningen. De ser om filen öppnas, valideras, skrivs ut, redigeras, importeras eller avvisas. The workflow should translate secure PDF preview surfaces results into states users can act on.

  • resolve the user's preview policy before the PDF is loaded
  • open the document through a controlled stream or temporary file boundary
  • disable and audit denied actions at the command layer, not only in visible buttons
  • keyboard shortcuts and context menus can bypass toolbar-only restrictions
  • attachments and links may leak data even when save is disabled

Tekniska granskningsnoteringar för secure PDF preview surfaces

Använd dessa granskningsnoteringar för att säkerställa att funktionen har passerat demo-nivån och kan försvaras under leverans, support och kundeskalering.

  • Beslut: which roles can open, print, save, copy, search, annotate, or follow links. Implementeringspresspunkt: open the document through a controlled stream or temporary file boundary. Acceptansbevis: temporary file path or stream mode plus cleanup result. Regressionsutlösare: watermarks should supplement policy but should not be the only protection
  • Beslut: temporary file location, lifetime, naming, encryption, and cleanup policy. Implementeringspresspunkt: disable and audit denied actions at the command layer, not only in visible buttons. Acceptansbevis: session duration, pages viewed when policy requires it, and close reason. Regressionsutlösare: keyboard shortcuts and context menus can bypass toolbar-only restrictions

Gränsfall

  • keyboard shortcuts and context menus can bypass toolbar-only restrictions
  • attachments and links may leak data even when save is disabled
  • temporary preview files can remain recoverable if cleanup is not verified
  • watermarks should supplement policy but should not be the only protection

Delphi / C++Builder notes

PDFium Component should sit behind a small service boundary that receives files, streams, profiles, and credentials, then returns output paths, warnings, metrics, and validation status. Important terms include secure preview, read-only viewer, audit log, temporary file, attachments, policy.

Delphi-kodexempel

Följande Delphi-skiss visar en praktisk servicegräns för detta ämne. Håll policykontroller, loggning och validering utanför det smala produktanropet så att arbetsflödet går att testa.

procedure TSecurePreview.OpenReadOnly(const FileName: string);
begin
  RequireAllowedLocation(FileName);
  PdfView.LoadFromFile(FileName);
  DisableSaveAndClipboardCommands;
  RenderWatermarkedPage(1, CurrentUserName);
  LogPreviewSession(FileName, PdfView.PageCount);
end;

Produktionschecklista

  • Kör arbetsflödet på en tom fil, en normal kundfil och en värstafallfil
  • Öppna den genererade PDF-filen med rätt visare, validator, skrivare eller nedströmsapplikation
  • Logga produktversion, profilversion, inmatningshash, utdatasökväg, förfluten tid och antal varningar
  • Håll lösenord, certifikat, tillfälliga filer och kunddata under tydliga lagringsregler
  • Lägg till regressionsdokument när en kundfil avslöjar ett nytt gränsfall

Produktdokumentation

PDFium Component

Fler kodexempel

procedure TPreviewPane.PdfViewWebLinkClick(Sender: TObject;
  const Url: WString; var Handled: Boolean);
begin
  Handled := True;   // never fall through to the default shell behavior

  if (AnsiStartsText('https://', Url) or AnsiStartsText('http://', Url))
    and HostIsAllowed(Url) then
    OpenInBrowser(Url)
  else
    FAudit.LogBlockedLink(FDocumentId, Url);
end;
procedure TPreviewPane.ExportAttachment(Index: Integer; const TargetDir: string);
var
  RawName, SafeName, Ext: string;
  Data: TBytes;
begin
  RawName := string(Pdf.AttachmentName[Index]);
  SafeName := ExtractFileName(RawName);    // strips any path components
  Ext := LowerCase(ExtractFileExt(SafeName));

  if not FAllowedExt.Contains(Ext) then    // allowlist, not blocklist
    raise EPreviewPolicy.CreateFmt('Attachment type %s blocked by policy', [Ext]);

  Data := Pdf.Attachment[Index];           // embedded payload as raw bytes
  TFile.WriteAllBytes(
    IncludeTrailingPathDelimiter(TargetDir) + SafeName, Data);
end;