I have a write-restricted folder which may only be written in if the user is in a specific group or has been explicitly given the rights to do so. I have successfully implemented that with C++ using SetNamedSecurityInfo on the folder with the specified groups and users. However, the following scenario gives me trouble:
- Admin gives write-rights to user
- User creates a file
- Admin removes write-rights from user
- User keeps writing in the file
The last point is the problem. Since the user is the owner of the file he can write in it, even though the admin removed the right (by removing group membership for example). I want to accomplish that the ownership of a file does not grant any rights to the owner in that restricted folder.
