How to restrict files in a folder thrugh IIS for different users

Question

0.00/5 (No votes)

See more:

Hello I have a question regarding file access via IIS. In my intranet application users can upload files to a shared folder on a remote server (this works normaly), but evry file that is uploaded can not be viewed by anyone else than the user who uploaded it (I set the permissions programaticly for the file, so that only the user that uploaded can edit or view it). The problem is, that I set the application to use an app pool account with r/w permissions to that folder, but now any user can access files from other users (becouse of the app pool account).

My question is how to restrict access to this files, so that only the users with correct permissons can access it? How shuld I set up the app pool account to handle this properly?

Thank you.
B

Posted 20-Apr-14 23:16pm

pykos

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ) · Answer 1 · 2014-04-21T02:24:00

Solution 1

I hope the answer IIS AppPoolIdentity and file system write access permissions[^] gives you some light.

Posted 21-Apr-14 2:24am

Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)

Comments

Manas Bhardwaj 21-Apr-14 14:57pm

Good link +5!

Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ) 22-Apr-14 0:13am

Thanks Manas. :)

Ankur^\m/ · Answer 2 · 2014-04-21T02:40:00

Solution 2

You will need a way to identify which files are accessible to which user. You say that files uploaded by a user can be only be accessed by that user. I am assuming your users are authenticated.
What you can do is save the file name and user id / email in a database table. Now don't allow the saved file folder to be accessed directly. Rather use a page which allows users to view their files. Since you already have file names saved against user id, you can show the list on that page. And on click of the file name, show that file. To be more sure, show any file if the user id / email matches the one saved against the file name in the database.

Of course this is one of the way. You may come up with another logical way to do it. But as far as controlling it from IIS is concerned, I don't think you can do it for a simple reason that the file generation is dynamic and you do not know which file can be accessed by which user. If there would have been a role based access requirement, that could have been done through IIS/web.config setting.

Hope that helps!

Posted 21-Apr-14 2:40am

Ankur^\m/

Comments

pykos 21-Apr-14 10:28am

This is an intranet app, so I only logged in domain users can use it. If I understand it right IIS_IUSRS uses the current machine name, not the current logged on user. The requirements are, that all files reside on a disk, and evry file has special permissions assigned to it (once a file is uploaded, a method fires that assigns correct permissions, based on the user that uploaded the file, this works as expected).

I want to know if there is a way to tell IIS that it shuld access the maped virtual directory where all the files are stored as the current logged on user, if the user does not have correct permissions he is denied access, else the file is opened.

Right now I have IIS set up to connect to remote folder as application user and only windows authentication is allowed, but I can still access files that I uploaded with other users.

TY B

Ankur^\m/ 22-Apr-14 1:09am

[Quote]I want to know if there is a way to tell IIS that it shuld access the maped virtual directory where all the files are stored as the current logged on user, if the user does not have correct permissions he is denied access, else the file is opened.[/Quote]
As far as I know, access to a file in any OS is controlled based on user role / group - for example guest, admin etc. You provide rights to a role and user is part of a role and it has all those access. You cannot provide access based on user id because users are added / removed and thus user ids are not constant. Similarly in a web application access to any virtual directly can be controlled based on a user role and not user id. You can do it based on user id but you will have to write code for that. And every time a user id is added / removed / modified you need to update the code (or the file from where you are reading the user id from).

Manas Bhardwaj 21-Apr-14 14:57pm

Yes, +5!