In a symfony 5.0 application I need to integrate a filemanager that provides basic file handling for users.
Each user is only allowed to manage files in his specific user folder which (obviously) is not in the public folder but at some path like
../data/images/[user_id]/
The filemanager of my choice needs this one path as a parameter to do it's magic.
How can I define access rules in symfony to define this behaviour to grant access to a specific but dynamic path which depends on the currently logged in user?
You have to deal with that problem in your controller or in the file manager. You have to create a database schema which register the access rights per user and per directory.
You can create a many to many or a many to one relation between user and directory entity. This relation maps the directory with his owner
If each user have a directory, you can create it directly when the user is created.
If the user can have no directory, you can create the directory only when he decide to create one.
If a user can have multiple directories (many to many relation) you have to create the directory each time a user decide to create one.
In order to deal with the access rights you have to create a second relation between user and directory. This relation maps the directory with his users who can access to it
I think this relation should be many to many because obviously in your case a user can access many directories and directories can be accessed by many users
In order to know if a user can access a resource, the file manager will get the access rights from the database then either provide the file or return an error
Related
I have a folder in which I store all of my applications. Right now 'Everyone' has read access to that folder, and certain sub-folders grand full access to everyone in order for them to be able to store files through my web-applications.
I am using Windows Authentication in order to retrieve the username which the user is currently logged in with.
I would like to disable the option for users (who are part of the 'Everyone' group obviously) to browse through the content of my applications folder and view my application files (and remove certain files). I was trying to use an Anonymous Authentication and it worked fine, but I was unable to retrieve the username the user is logged in with.
Any suggestions? I am lost.
Try to get widows identity then extract its name property.
WindowsIdentity identity = HttpContext.Current.Request.LogonUserIdentity;
string username = identity.Name;
We have some requirements where we want to allow our clients/ users to download files/ folders from our file server via browser/ web.
We have a many different directories created on our file server which is mapped to different clients. Which means that, every client has its own directory on our server. We have a main (root) directory for every single client/user. Which means that, every client’s files/folder are created under their respective main directory.
The only thing we need be sure is, whenever our client make a request to access/ download file, first we need to validate their credential (username/password are stored in our SQL server DB) and then we need to allow only those folder which is mapped for specific folder. (The folder mapping is again stored in our SQL server DB)
Which means that, after applying the credential by user/clients, they can only access their directory/ files. They cannot access other’s files/ directory.
Would anybody please do let me know how would I achieve this? All the suggestions would be appreciated highly.
Thanks in advance.
Since different users need to be authorized to access different directories, you cannot expose your files directly on the web.
Build a simple login with a custome MembershipProivder. That will allow you to autenticate against your database.
Since you know which directories the user has access to, you can fetch a listing of files and folders and present it in a ListView to the user.
You can write a HttpHandler to check user authorization and then serve the files to them.
I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.
I want that when a user sign up on my website, a FTP account will be created for him. So every user can access their folder using File Zilla.
I am assuming that you can create a new ftp user via the command line and use chroot to limit him to a particular directory. And one of the answers at https://superuser.com/questions/67765/sudo-with-password-in-one-command-line gives you a way to stop 'sudo' from asking you for the password on the command line. Then its purely a matter of building an interface, and invoking system() or exec() to run the commands.
It is really hard to tell from your question what exactly you want to do. This is a very complex subject that involves a lot of work you need to do in order to achieve this.
If you are using an asp.net custom membership provider you can create the folder there(for example).
Then you need to create a custom authentication provider for IIS which is not an easy task on it's own. Check out this and this blog posts from Robert McMurray. This module will use your user data in your database that you fill in with the custom membership provider.
Then finally you need to provide each user access to his/her own folder trough user isolation in FTP in IIS.
I have a windows forms application which serves as a sort of administrative module for an ASP.NET web application. The web application serves multiple countries, and folders are created when new countries are added to the application data.
Unfortunately on the newly added countries I run into an exception with the web application when I go and try to write files in the folders:
System.UnauthorizedAccessException: Access to the path 'C:\...' is denied.
With the web application using ASP.NET impersonation, it's obvious that the default IIS user (MACHINENAME\IUSR_MACHINENAME) has no permissions to write into the folder.
How do I grant permission the the default IIS user upon folder creation?
I understand that
System.IO.Directory.CreateDirectory(string path, DirectorySecurity directorySecurity)
should do this, but I don't understand how to specify the log on name on the DirectorySecurity object.
Grant permission to create directories and files (read/write/modify/...) to the worker process group (sysname\iis_wpg) to the parent directory of where you want to create the new directories. Make sure that you've set the permissions to apply to this folder, subfolders, and files, then the permissions will be inherited for new folders you create and you won't need to apply them specifically. Rather than doing this for all of App_Data, I'd suggest creating a specific subdirectory and only granting permissions on that subdirectory. If you have multiple apps running on the box you might want to create a new user for the app to run as, change the id of the worker process group, and grant only permission to that specific user.
This is the solution I used eventually:
if (!Directory.Exists(path))
{
Directory.CreateDirectory(path);
DirectoryInfo info = new DirectoryInfo(path);
DirectorySecurity security = info.GetAccessControl();
security.AddAccessRule(new FileSystemAccessRule(logonName, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow));
security.AddAccessRule(new FileSystemAccessRule(logonName, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
info.SetAccessControl(security);
}