Limiting file download based on access level on asp.net - asp.net

I have a web app made in asp.net mvc3. There is a facility to upload and download files using the application. Uploaded files will be stored in some folder under web root. I want allow downloading files to those who have access to the files only. No one should be able to download the file by directly pasting in the file URL.
I use shared hosting with limited IIS access. So what would be the best way to achieve this?

How are you storing the data on the access rights currently? It sounds like you are not going to be able to make use of IIS to control access to your files and will have to handle it yourself.
As this is the case, rather than link to the file directly you should store the files outside of your web root and then handle requests coming in for files through ASP.NET MVC using a GET method. At that point you can check the user's credentials, and if they have access you can serve the file.
I'm not too familiar with it, but it looks like ASP.NET MVC makes serving up files very easy with the ability to return a FileContentResult, supported by the Controller.File method (documentation here).
This blog post looks like a great start, and you would just need to insert your credential-checking logic into the Get method.

Related

folder explorer for server files

Is it possible to rename/move or delete files from a web application (ASP.Net MVC) that are on a server folder just like how you would do it locally? I would want the user to be able to upload say 30 files (from a scanner auto-feed) into a temporary folder on the server (cannot save it locally due to data security) and then allow the user to be able to rename /move before uploading them onto Azure blob storage.
I saw few examples - jquery file tree seemed good but not sure if it allows rename and moving. Please suggest solutions for working with the server folder. I intend to delete the server folder after I am done transferring files to Azure. TIA.
Yes, you can do this by giving the USER that is running the ASP.Net application (defaults to IUSR) permissions to write to that folder.
Be very careful though, as you're potentially opening your website for abuse when doing this.
See: https://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis for how IIS users operate.

How to prevent Malicious File Execution in ASP.NET

I currently have a asp.net site that allows users to upload files and subsequently view them using HTTP. Is there a simple way to prevent a user from uploading a malicious script/file onto my server then attempting to run that script by calling its directory via http?
You have to remove the ASP script mapping on that particular folder.
Read the complete answer by Steve Schofield here.

Write files without write permission via ASP.Net

I have created an ASP.Net application using .Net framework 4.0. I need to save an xml file on any location on same server (if file not already exists) and want to access then after always. But I dont want to set write permission to any folder.
Is it possible to write a file to any location for Network service account without specifying write permission?
Does Network service account have default write permission to any location?
Thanks,
Jitendra Biyani
You should always be able to write to %TEMP%. (Call Path.GetTempPath())
However, you should not be writing files to disk if you can avoid it.
What are you trying to do?
Typically if I ever need to do something like this I run an application under a domain user account and grant permissions to the output folder just for that particular user.

Best practice upload file IIS permission

I have a Web solution which different users from different companies logs on to the same web site, they authenticate against AD.
I use RadControls, and their upload component.
I want to be able to make the users upload documents to their folder on the server. I have granted users which belongs to a particular company full access to the corresponding folder. But I get a access permission error when trying to upload.
What is best practice for something like this?
I use IIS7, and ASP.Net 3.5
Paddy probably hit the nail on the head... but if you look at the Event Viewer entry for this exception, you can probably see what user's credentials ASP.NET is actually using to write the file.
BTW... in terms of best practice... You're on the right track. You didn't mention where this directory is located, but it should be OUTSIDE your web root. Other than that, it's all implementation details... like what do you do for name collisions?

Protect folder from external requests

Im working with asp.net 2.0, and i have a folder into my application path ~/Data/ with some .mdb files.
I would like to protect this folder from external request like http://www.whatever.com/Data/whatever.mdb
But i would need to give any permission to my application, cause im using OleDBConnections agains the ~/Data/ Path.
What could be the best way to protect this folder?
Kind Regards.
Josema.
In IIS manager and remove at least anonymous access if not all access. Your application code can continue to use its contents but HTTP requests can not access it.
If possible in your situation, another option would be to place the mdb files outside of the website. For example, something like this directory structure:
/ MyProject
/ Data
- whatever.mdb
/ www
- Default.aspx
where www is the actual root of your website. That way, users will never be able to access the mdb files from the browser, while you can still use OleDBConnections against the mdb files. To my knowledge this is pretty secure, and this way you can't accidentily forget to disallow access in IIS.
Did you check if it actually is a problem?
I'm using ASP.NET 3.5 here but the default App_Data folder is shielded for downloading. Maybe you should just follow the guidelines and verify.
As for the other answers about moving Data outside your Web folder, that usually won't work when you use a hosting provider.

Resources