Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET MVC 3 Simple Scenario Authorization for Static Files

Let's say I have a really simple site where I allow registered users to upload files. I have user "andrew" with an ID of 1 and user "matt" with and ID of 2.

Let's say I want to use the following folder structure to organize the uploaded files.

/Content/DocRepo/[[ID]]/files_live_here

I am using forms authentication so I could use the web config location element to prevent any unauthorized users from access the DocRepo, however once "andrew" is logged in, what is the cleanest/simplest way to prevent him from accessing "matt's" files?

Couldn't he just change the URL to /Content/DocRepo/2/

like image 420
aherrick Avatar asked Dec 27 '22 07:12

aherrick


2 Answers

It could be done in the Global.asax under the Application_AuthenticateRequest or the Application_BeginRequest. You could also register a IHTTPHandeler and do the same logic as the Global.asax, which would be to listen to requests for the DocRepo folder and perform user permission audits.

If you are using ASP.NET MVC you can easily create a Download action on your controller that accepts some sort of file ID and do your validation there. If you're using classic ASP.NET would make a page, download.aspx which takes some unique ID (both as Andrew suggested).

In MVC you can add an Authorize filter to the action to allow only authenticated users and from there you can do per-user level checking. In MVC there is a File result:

 return File(...);
like image 22
Nick Bork Avatar answered Feb 01 '23 12:02

Nick Bork


The easiest way to do that is not to allow direct requests to the files at all. Prevent requests to the files directory, and instead create a files controller which requires Auth, and assures a user has access to the file they are requesting.

You can use a subdirectory of App_Data to store the files, since by default, no direct requests can be made for any files contained therein.

like image 88
Andrew Barber Avatar answered Feb 01 '23 12:02

Andrew Barber