Restricting file access to certain users to certain folders

Question

I have a site, into which users log in using forms authentication, in which I want to restrict access to files in a particular folder to certain users.

So, for instance, folder dir/foo will be accessible to user1 but not user2 or user3 and folder dir/bar will be accessible to user2 but not user1 or user3.

The folders mentioned above are not created at the point at which I deploy the site. They are created throughout the lifecycle of the website and I can know through code (by the names of the files) who should have access to which files.

My setup is such that I have some users who have roles of Member. A Member represents a company. Each Member has users with roles of Seller, Buyer and Viewer. Now, each user whether he is a Member, Seller, Buyer or Viewer should be able to see documents that belong to his company. So, if Seller1 has a document a.txt then Seller1 should be able to see it, Member1 should be able to see it (Member1 is the company to which Seller1 belongs), Buyer1 should be able to see it (belongs to Member1), Viewer1 should be able to see it (belongs to Member1), but Buyer2 should not be able to see it (if he belongs to Member2). Documents are placed in folders that are named after the name of the user to whom the document belongs. For example, documents belonging to Seller1 are in a folder called Seller1. Also, there is a user called Admin who can see all documents.

How can I do this?

Answer 1

You would do this in your web.config file. It would be better if you organized users into groups, but it's possible to do it on a user by user basis:

<configuration>
    <system.web>
        <authorization>
            <!-- GLOBAL authorization -->
            <allow users="user1" />
            <deny users="user2, user3"/>
            <allow roles="GoodUsers" />
            <deny roles="BadUsers, MouthBreathers"/>
        </authorization>
    </system.web>
    <!-- local individual folder/file authorization
    <location path="/dir/foo">
        <system.web>
            <authorization>
                <allow users="user1" />
                <deny users="user2, user3"/>
                <allow roles="GoodUsers" />
                <deny roles="BadUsers, MouthBreathers"/>
            </authorization>
        </system.web>
    </location>
</configuration> 

Edit: Given your updated description adding the document management aspect and the additional filter of adding a company to the mix there are a few ways you can do it. The primary method I would suggest is to have all documents outside of your root folder so they can't be browsable by any random user. Then build a page-based interface that provides search capacity. Depending on the number of folders/documents this can be done in a number of ways. If the document count is low per folder (less than 1000 per folder, less than 1000 folders) then you could easily have your system access the file system directly to provide read access to these file lists. If you have more than this, I would recommend having an external mechanism to index these files into a database that is easily searchable. Then your interface will be responsible for determine who sees which files.

Finally, to serve the files to the user, you would build a second page whose specific responsibility is to fetch a specific file and serve it out as a binary stream.