in asp.net-mvc, is there a good library or pattern to follow when saving users content (images, files, etc)

Question

i have an admin section of my website where "authors" can upload files like pictures for photo galleries, etc to include in dynamic content sections of my website later. I have certain pages where the html itself is stored in my mySQL database and users can edit the content using ckeditor interface.

i am trying to see if there is something to leverage that will save files to the right directory and retrieve them later or i should just write this all from scratch. Also, looking for lessons learned and things to be careful on (security, etc . .)

Answer 1

I'll take a stab at this. An application that we have that does something similar we did and we did the 'roll our own thing'. Users can upload files (images, documents, whatever) through our application interface and these files do have user/company/role sensitive permissions. In order to mitigate a few security concerns and for a few other reasons, we implemented the following.

1. In the web application, we created an 'Assets' folder that is used to store all of the user generated content. We then use subfolders to help segment the content (logos, files, etc).

2. In the web.config, we configured this folder to not be accessible from the browser (think like the App_Data or bin folders) with the following lines (We did this to ensure that none of these files could be accessed directly from the browser. See more on point #4):

    <system.webServer>
   <security>
     <requestFiltering>
       <hiddenSegments>
         <add segment="Assets"/>
       </hiddenSegments>
     </requestFiltering>
   </security>
   

3. Once a file is uploaded, we store the relevant information about the file in database (type, size, name, comments). This also allows us to relate role and user security information on the file.

4. In order to retrieve the files, we implemented a controller with a set of actions that takes the requested file name and user information (since you have to be logged in) and returns the file from the Assets folder. To the end user, it looks like all files are stored in /Files/Docs/FileID or something similar but in actuality this is just a front-end 'gatekeeper' to the files themselves. This controller/action methods return a 404 if you are not authorized or if you request a bad file. For file naming, we just generate GUIDs and name the file "GUID.relevantExtension" (checking that one doesn't exist already)

I guess for lessons learned or whatnot, the biggest thing is that you do not expose the files directly especially if users are not sharing content. Also, and this is probably personal preference and could start a war if not careful, I am not big on storing files in the database at it seems to cause issues with paging and caching performance (not talking about SQL 2008 File column either). Hope this helps!

EDIT - Another thought on doing this, be aware when doing publishing from VS. These uploaded files are not part of your solution and if you do the Delete the Upload type publishing, you will wax your users files. Just word of caution (been there :/)