i have a admin system, currently allow login user to upload a file,
but i found that it can not overwrite the file with same file name, it return access denied error
im wondering if i set impersonation = true in web.config, what impact will have?
(i know there is another way to solve my upload overwrite issue, but just want to ask the impact of impersonation)
Thanks
This is obviously a permission related issue so you need to check for permissions on folder for the users application pool, network service and aspnet
Check read only attribute of the files that are throwing access denied. many times, user uploads images from CD.
When you are saving file, try to remove read only flag and save the file so that when overwritten not throw errors.
Related
I implemented a feature that allow users to upload files. Everything was working perfectly on my machine. After we deploy it, I got the following error:
Access to the path '\...\VendorDocuments\TempFolder\2585' is denied.
I've added EveryOne in the list of the object that have all the permissions to the VendorDocument folder. It worked.
Now I'd like to know how to setup the permissions to take into account the security aspects.
vendorDocuments is the main folder.
Inside vendorDocuments there is another folder called TempFolder
When user selects a file, the file is automatically uploaded to a TempFolder/UserId
If the user decides to cancel the operation, the file inside the TempFolder is deleted.
If the user decides to proceed, the file will be moved from the TempFolder/UserId to a folder belonging to the vendor still inside vendorDocuments.
VendorDocuments => TempFolder => TempFolder => UserId (file inside)
VendorDocuments => VendorName => DocumentId (file inside)
So in my opinion, there are 2 problems;
How to setup the permission on the highest level, i.e. vendorDocuments folder.
Do I need to setup permission as well for every vendor folder, i.e. where files belonging to a given vendor will be saved. There reason I asking this question is because I read that it's better to setup manually permission on folder. However, in this case, vendor's own folder will be created on the fly, i.e. the first time a user belonging to that vendor upload a file.
Sorry to ask a long question. This is the first time I'm working with permissions.
We take care of our permission like this by assigning an application pool identity to the application itself. This allows you to give the applications account the permissions it needs to write files to their destination. We are using IIS and I can see that depending on your version of IIS the process is slightly different. IIS instructions: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
I am using WebDav to copy and paste multiple files into Alfresco.
The problem is that I can only do this with administrator IDs.
When I try to create new files or update existing files as a non-administrator
user, I get the following error:
HTTP Status Code: 403 caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 03300303 Access Denied. You do not have the appropriate permissions to perform this operation.
Is there anyway to allow non-administrator IDs to create/update files?
The Alfresco WebDAV support uses identical permissions to the rest of Alfresco. Nothing special - it's just one of the number of different ways you can interact with the nodes stored in your Alfresco repo.
As such, the user you log in as needs to have both read and write permissions to the folder in question. Typically, that means they need to be a member of the site you want to write to, and need to have permissions higher than Consumer.
As long as the user has write permissions to where you want to write to, they'll be able to make changes using WebDAV.
I should be able to create a default directory inside project's root directory when the application_start method(inside global.asax)is called for my asp.net web application.
As IIS users dont have full rights to webroot directory(for directory create) i get access denied error message while trying to create the directory.Also IIS users wont be given full access to the root as per client.I am planning to implement like below to meet the expectations of client.Please let me know if there is any better way out for than this approach?
Approach 1:
a.Create a new user account(windows) in the server.
b.Keep the user account name in config file.
c.Read that account from the config file and create directory with that user account using Directory Security object.
Code:
DirectorySecurity dacl = new DirectorySecurity();
string useraccountForDirectoryCreate = System.Net.Dns.GetHostName() + "\\" + "testaccount";
dacl.AddAccessRule(new FileSystemAccessRule(useraccountForDirectoryCreate,
FileSystemRights.FullControl,
InheritanceFlags.
ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow));
Directory.CreateDirectory(imageDirectory, dacl);
The above thing worked locally in IIS server(Haven't tested on client's IIS server)
My concern with this:I think it wont be a feasible to ask the client to create a user account to be
created in the server for just creating the single directory.Also in future he might require to give access to more user for directory create.It wont be feasible to
keep on creating the windows account.
Apporach 2:
a)Create a IIS user account having full access to web root for directory create.(is this a better way out,it is same as giving the IIS user full access to web root isn't it.?Please clarify.)
b)Keep the account info in web config file.
c)Read the account info from web config file and create the directory with permisson with the above piece of code.
Problem with this approach:Is i get the following error.
Some or all identity references could not be translated
when the following statement is invoked.
dacl.AddAccessRule(new FileSystemAccessRule(useraccountForDirectoryCreate,
FileSystemRights.FullControl,
InheritanceFlags.
ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow));
It looks like i am not able to add the access rule for this newly created user.Why is it so?
I have googled enough for the above error message and tried to understand but i am not able to resolve the error.I am not able to understand the error message at all.Please help with the solution for this problem.Its high time to deliver.
please be gentle as my server knowledge is next to none!
I've been asked to make some CSS changes to a wordpress site - fine, I'm good at that! I have all the ftp info and the wordpress passwords, but as I edit files and try and re-upload them using Dream Weaver I get an error that I don't have permission to write to the particular file. So, the first thing I thought to do is right click the file and edit permissions, but as I try and do this I get the same problem of:
An FTP error occurred - cannot put the_file.js. Access denied.
The file may not exist, or there could be a permission problem.
Make sure you have proper authorization on the server and the server is properly configured.
File activity incomplete. 1 file(s) or folder(s) were not completed.
Files with errors: 1
So, my question is - by knowing the ftp details is there any way I can change the permissions, or is it something to do with server configuration that I have no control over? Many thanks
This means that the FTP username you were provided does not have permission to modify files. YOu won't be able to reset the permissions either. You should contact the server admin and have them grant your user account the appropriate permissions to modify files.
The server is IIS7.
Is there a way to disable web.config files in subfolders?
I am asking because, I have a folder on the web server that is for uploads. When someone uploads files, a new folder is created for the user's session and the files they upload go in the folder.
So the path to uploads would be like this:
~/uploads/3F2504E0-4F89-11D3-9A0C-0305E82C3301/somefile.txt
In the ~/uploads/ directory there is a web.config file that removes all http handlers except the static file handler and adds a wildcard mime type. So every file that a user uploads will only ever be served statically.
If a user uploads a web.config file, I want to disallow any of the settings in that file from being applied.
How can I do this?
EDIT
Could I just make the upload folder an application that is a member of an application pool configured to run in Classic mode instead of Integrated Pipeline mode? That way it wouldn't even care about a web.config file.
EDIT 2
Is there another type of webserver I could install for serving all files statically? I could just access the files through a different port. Is there some software that I can be sure wont run any scripts and is safe.
I simply wouldn't allow them to upload a file with that name. In fact, I normally wouldn't trust any filename that the user gave me... makes a great candidate for an injection-style attack.
Ok I have a different angle on this...
What if your uploads folder was not part of the website and instead part of the file system? This way ASP.NET is not processing requests to the folder and thus web.config wouldn't be loaded by the ASP.NET runtime.
You'd have to give your app pool's account read/write access to the file system where these files are stored, but I think it better fits what you're trying to accomplish.
Obviously it could be done in code.
If the folders always exist, you could pre-populate with a web.config with no (significant) content and an ACL to ensure it cannot be overwritten, but looking at the path it I suspect you create the upload folders dynamically which means this would not work.
I don't believe there is a way to tell IIS not to use a web.config (but I could be wrong). Personally, I would add a check to my save code and rename the file.
Why not just check the filename first to prevent the user from uploading a file named web.config? You're probably going to want to check for other things too before allowing the upload - files that are too big, etc.