How to test user permissions for virtual directory?

Question

Within a HttpModule, following a url rewrite, I'm am testing user permissions to a to a virtual path situated within my application using:

// Since we are now rewriting the path we need to check again that the 
// current user has access to the rewritten path.
// Get the user for the current request
// If the user is anonymous or authentication doesn't work for this suffix 
// avoid a NullReferenceException in the UrlAuthorizationModule by creating 
// a generic identity.
string virtualCachedPath = cache.GetVirtualCachedPath();

IPrincipal user = context.User ?? new GenericPrincipal(
     new GenericIdentity(string.Empty, string.Empty), new string[0]);

// Do we have permission to call 
// UrlAuthorizationModule.CheckUrlAccessForPrincipal?
PermissionSet permission = new PermissionSet(PermissionState.None);
permission.AddPermission(
new AspNetHostingPermission(AspNetHostingPermissionLevel.Unrestricted));
bool hasPermission = 
permission.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
bool isAllowed = true;

// Run the rewritten path past the auth system again, using the result as 
// the default "AllowAccess" value
if (hasPermission && !context.SkipAuthorization)
{
    isAllowed = UrlAuthorizationModule.CheckUrlAccessForPrincipal(
                                      virtualCachedPath, user, "GET");
}

Where virtualCachedPath is any virtual path e.g ~/app_data/cache situated with the root of the application.

http://msdn.microsoft.com/en-us/library/system.web.security.urlauthorizationmodule.checkurlaccessforprincipal(v=vs.110).aspx

This however, will throw an ArgumentException though if tested against an external virtual directory.

[ArgumentException: Virtual path outside of the current application is not supported. Parameter name: virtualPath]

E.g.

What is the correct method to check user permission to a virtual directory?

Answer 1

I am able to successfully use the UrlAuthorizationModule.CheckUrlAccessForPrincipal method to check for access to files that reside in an external directory, which is mapped as a virtual directory, when the path that is passed to CheckUrlAccessForPrincipal is a relative, URL formatted path ("~/PATH"). If instead I pass the physical path using file system conventions ("C:\PATH\"), I get the ArgumentException that you describe.

So I suspect that the virtualCachedPath may actually be a file system formatted path, at least in the instances that the exception is being raised. I would recommend that you implement logging in your application so that you can double check the value of virtualCachedPath when that exception is raised:

try
{
    isAllowed = UrlAuthorizationModule.CheckUrlAccessForPrincipal(virtualCachedPath, user, "GET");
}
catch (ArgumentException ex)
{
    Trace.TraceInformation("VirtualCachedPath: {0}", virtualCachedPath);
    throw;
}