Let's say I have a really simple site where I allow registered users to upload files. I have user "andrew" with an ID of 1 and user "matt" with and ID of 2.
Let's say I want to use the following folder structure to organize the uploaded files.
/Content/DocRepo/[[ID]]/files_live_here
I am using forms authentication so I could use the web config location element to prevent any unauthorized users from access the DocRepo, however once "andrew" is logged in, what is the cleanest/simplest way to prevent him from accessing "matt's" files?
Couldn't he just change the URL to /Content/DocRepo/2/
It could be done in the Global.asax under the Application_AuthenticateRequest or the Application_BeginRequest. You could also register a IHTTPHandeler and do the same logic as the Global.asax, which would be to listen to requests for the DocRepo folder and perform user permission audits.
If you are using ASP.NET MVC you can easily create a Download action on your controller that accepts some sort of file ID and do your validation there. If you're using classic ASP.NET would make a page, download.aspx which takes some unique ID (both as Andrew suggested).
In MVC you can add an Authorize filter to the action to allow only authenticated users and from there you can do per-user level checking. In MVC there is a File result:
return File(...);
The easiest way to do that is not to allow direct requests to the files at all. Prevent requests to the files directory, and instead create a files controller which requires Auth, and assures a user has access to the file they are requesting.
You can use a subdirectory of App_Data
to store the files, since by default, no direct requests can be made for any files contained therein.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With