Folder permissions through a web page? - asp.net

I want a folder on a site where logged-in active directory users can create sub folders and upload images under an "/Uploads" folder off the root. I am able to retrieve the username using System.DirectoryServices.
Is there a way to:
Restrict what is returned from the DirectoryInfo().GetDirectories based on their username
Set permissions on a subfolder of /Uploads (via a web page) to read/write.

You might want to look at this post on how to create folder dynamically at run time
And this post from stackoverflow shows bunch of ways to assign folder permissions. See which one applies
Good luck!

Related

Prevent Direct Access To files ASP Web.Config

Strange question but hopefully its possible.
we have files in the root of our site (/files) these are uploaded through the main cms side of the website (/admin) and to be accessed by people who have access to the (/school) directory.
At the moment, if you have the direct link URL EDIT TO THE FILE you can gain access to the file
the files folder has its own web.config file with some rules, is there a way i can add some of my own authentication within the web.config to only allow requests that come from the School folder to have access to the files?
In my head i would have a piece of VB code that does something like this:
If (Request.UrlReferrer <> Nothing) Then
If Page.Request.UrlReferrer.ToString.Contains("/School/") = True Then
???
End If
Else
Response.Redirect("index.aspx")
End If
I've tested this in a simple page and it seems to work okay.
Well, I would assume that the users who can use school folder are memembers of a secuirty role called School (or some such).
thus, any user not a member of school can't use the pages (or files) in the school folder.
Since you want the SAME restricitons for the folder files, then use the same web.config to secure the files folder.
That will mean only users who can use the shools folders will also be the same group of people that only use the files folder.
Now the above will not stop members of securty role "school" from typing in any valid URL to the files folder. So, if you want to prevent this, then I would suggest that for all files up-loaded, you create a folder inside of files folder based on their PK row in the membership table (Memebership.ProviderKey).
Then what you would do is turn off all role groups rights to the files folder. I perfer not EVER allowing a direct URL to files.
Remember, only IIS respects the IIS security settings and provider for a web based URL. Code behind is 100% free to load, read, write, use, play with ANY file via code behind. Code behind uses plain jane FULL path names - and those path names and file names used by code behind does NOT care nor use IIS security settings. Only web based URL's dish out by IIS respect and use the IIS security settings you have for the schools folder. So, copy the web.config for schools over to files, and you are done.
But, code behind? it does not care nor use those settings at all.
So, code behind does NOT use nor respect nor care about IIS security settings. IIS role membership ONLY applies to the asp.net pages and web based URL's. But, code behind is a 100% free to get and grab any file on the system - even files outside of the wwwroot path name of the web site.
So, as a 2nd level and better security?
I would not allow ANY URL's to the files folder.
You then display a grid or list of files on the web page, and code behind for the download button can then go read/get the file (you can use TransMitFile to download that file)
So, best approach is to not allow ANY valid URL's to the files folder.
However, for now, since you only want people who can use the schools folder also be the SAME people that can use the files folder? Then just use the same web.config for both folders - only those people with role of "school" will thus have use and rights to the files folder.
From the information you provided, then you don't really need any code changes - only to take the security settings from the school folder web.config, and copy that to the files folder, and you should be done.
Now, it is possible that the schools folder is not secured by using IIS security and roles - but then again, that would a epic face plant and horrible design choice.

custom user permissions in alfresco

I am using Alfresco Community Edition.
I have 4 Folders.
1. Sales 2. Controller 3. Purchase 4. Accounts.
I have Multiple Users as per their teams.
The Sales Team will create a folder and send the folder to Controller, Controller sends the same folder to Purchase and Purchase to Accounts.
Here, what I want is, when a User from Sales team creates his/her folder, it should be only visible to him/her in Sales Folder and no other Sales user should be able to view it. (Only folder owner should be able to view his own content)
But when the folder is sent to other folders, there too only the Folder Owner and the other users should be able to access and view the folder.
I tried the workflow and I have successfully given the permissions to the other users, but unable to assign proper permissions to the Sales Team.
Short Explanation : Sales Member who creates a folder should be able to access his own folder and not any other members contents/folders in all 4 main folders.
Please help me on this.
Remove permission inheritance on the root folder of the site.
Set the proper permission to each folder through Manage permissions (Sales, Controller, Purchase, Account)
Setup a rule to act upon some action or manage the permissions through your workflow.
You can read up on folder permissions here.
Cheers!
There is no embedded function for your expected behavior but it is possible to archive what you expect by defining rules on the 4 main folders which call JavaScripts to run your business logic:
remove inheritance flag on new / moved objects (only on direct childs
/ folders)
remove all direct permissions and add only permissions you
want to add for this folder
The user who created the new folder will always have all permissions because Alfresco has a special role "Owner" which has similar permissions (ALL) like a Coordinator which will be still active when the folder will be moved to another main folder. If the user creating the folder should still have navigation access to the folder when it is moved you need to give Consumer permission on the all 4 folders for the sales team. This will allow to walk into the folders but only to see subfolders if the user has access.

Give anonymous access to a folder under wp-admin folder in WordPress

I have a folder in wordpress which is located under the wp-admin folder and that folder contains the documents that can be downloaded from the user section.Now when the user downloads the words files using IE-9 and click on the open option from the IE save dialog it gives them a security warning. This problem is solved if I move the folder the root of the website. So I guess there is some access issue is there any way I can provide anonymous access to that folder. I really don't want to change the location of the folder as it will reqiure lots of changes to code and database.
FYI : This is issue comes only for word files , PDF files in the same folder work fine.
no you cannot access the folder without the username and password even when you try to grab the files of that folder using idm grabber or httrack you will need username and password

How to deny access to a specific "upload" folder under App_Data for specific users in asp.net mvc2?

I have a folder which users can upload their docs inside that.its call upload folder.it is located underneath app_data in solution explorer.I want the users to see just their own uploaded docs not others and restrict any direct access to other articles.
I also have an admin user which i want to be able to access all the docs uploaded and be able to download the file.
how could i :
1.restrict users
2.write code to download uploaded file
thanks in advance.
Well, what is the problem? Close this folder to access it using direct links (if you are using App_Data it's already done) and create httphandler that returns file data. In httphandler change look have the user have access to request file

Save website uploads in a subdomain

Currently whenever a user uploads a file through our website, it gets put in a folder such as:
www.domain.com/Uploads/Docs/filename.doc
However, I'd like to move this to a subdomain such as:
uploads.domain.com/Docs/filename.doc
This is mainly because I'd like to keep the files uploaded by the user, totally seperate from the web app.
However, currently I use an ASP.NET FileUpload control to upload the files, by doing something like:
myFileUpload.SaveAs(Server.MapPath("/Uploads/Docs/filename.doc"))
How would I change this line of code to be able to upload to the subdomain easily?
Cheers.
If both domains are on the same server, simply point the site for the subdomain to the /Uploads/Docs directory as the base directory.
You can then restrict this directory from your www domain.
Different sites can share the filesystem and this may be a good solution for your problem, without changing any code.

Resources