Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Protecting folders in MVC

I have some files in my Content folder that I don't want a user to be able to download without being authorised. How do I prevent a user from just getting to the file by typing ...Content/{filename} into the address bar?

like image 725
user517406 Avatar asked May 29 '12 07:05

user517406


3 Answers

There are a couple of possibilities. The first one consists into using the <location> tag in your web.config:

<location path="Content">
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</location>

Another possibility is to put those files inside a folder where noone can access (like the App_Data folder for example) and then have a controller action that will serve those files which will be decorated with the [Authorize] attribute.

like image 59
Darin Dimitrov Avatar answered Nov 11 '22 02:11

Darin Dimitrov


Well one way is to have it outside the context of IIS, so instead of having them under C:\inetpub\wwwroot

change it to something like C:\temp\files.

in your DB have a GUID associated with the document name and use the GUID to display the link to the file.

in your controller action you would just accept the GUID, get the filename and then serve the file in your response.

like image 1
Qpirate Avatar answered Nov 11 '22 04:11

Qpirate


it doesn't work for me.

<configuration>
    <appSettings>
    ...
    </appSettings>
    <system.web>
    ...
    </system.web>
    <system.webServer>
    ...
    </system.webServer>
    <location path="Content">
        <system.web>
            <authorization>
                <deny users="?" />
            </authorization>
        </system.web>
    </location>
</configuration>

I run my MVC 4.0 application, login and logout, can't access any app page, but still can access file by direct link like

http://localhost:80966/Content/Files/home.jpg
like image 1
Nestor Avatar answered Nov 11 '22 03:11

Nestor