1

I'm trying to use ASP.NET MVC to have a web app that will take details about a parent item and allow uploads and sharing of files which are associated with and stored under the name of the parent item.

The files I want to protect are stored in this way: ~/Files/{Item-GUID}/{Filename}.{ext}

The Item-Guid can be used to query the db for security permissions for the item. (users are logged as AD SIDs)

I need to know how to have ASP.Net respond to file requests for these files in the path ~/Files/ and use the /Item-GUID/ to check security permissions before serving the file to the user, and throw authentication errors if the user is not logged in or does not have access to the parent item.

I would appreciate any links or advice on where should I start here. Thanks In Advance.

Rem
  • 105
  • 8

1 Answers1

1

I use often create a custom permission class that derives from the AuthorizeAttribute class. This is one way you can create a custom permissions filter on any controller action.

public MyPermissionsFilter : AuthorizeAttribute
{
    private readonly string _permissionName;

    public PermissionsFilter(string permissionName)
    {
        _permissionName = permissionName;
    }
}

Override the OnAuthorization method.

public override void OnAuthorization(AuthorizationContext filterContext)
{
    //Perform Check with _permissionName
   //Redirect to error / unauthorised
}

Then decorate your controller action.

[HttpPost]
[PermissionsFilter("PermissionName")]
public void SaveFile(HttpPostedFileBase file)
{
  //Do file stuff
}

I hope that's what you want and is of some help.

Addition : I've renamed GetFile to SaveFile.. and this is what is should have been.

I've also been thinking about this again and it may not be the best solution for you. If you need to check a users permissions to access a single file based upon it's GUID, you might be better having the security check called in the SaveFile method that receives the file base parameter. You can get the guid from the file name then to pass to the permissions check. If it fails then simply redirect to the appropriate view.

Wheels73
  • 2,850
  • 1
  • 11
  • 20
  • Unfortunately I've already got this part essentially done. The problem is that the files are still available by direct link without permissions check. Thanks for your response. – Rem Jun 05 '17 at 15:47
  • Sorry, 2 questions... How is your GetFile Controller Method provided with the HttpPostedFileBase for your files? Does this prevent direct access to the file via its URL? – Rem Jun 05 '17 at 16:05
  • @rem - Sorry.. i've Been away from my computer.... It prevents access to the invocation of the action that takes that file and saves it elsewhere. In your case I guess you would need to take the GUID from the file selected and try and pass that into your overridden method. – Wheels73 Jun 05 '17 at 19:47
  • @rem - The file base parameter is provided to that method as part of an Ajax post. – Wheels73 Jun 05 '17 at 19:50
  • @rem - I've added further thoughts to the answer. – Wheels73 Jun 05 '17 at 20:05