2

I am developing an MVC website where different users may upload several images. They idea is that the users can only see their own images. Using a virtual folder in IIS to store the user images would be an easy solution, but then anybody that knows a valid filename would be able to freely download someone else's pictures.

Can anybody suggest a solution for this problem without manually setting permissions at the file level?

Also take into consideration that the files may be 10 MB.

Thanks in advance!

Adanay Martín
  • 397
  • 1
  • 3
  • 15
  • 1
    You store the user's ID along with the file path in a database, and then validate that the current user's ID matches. –  Mar 18 '18 at 22:28
  • I do have the filepath stored, just that it is in a network shared folder instead of a virtual folder. – Adanay Martín Mar 18 '18 at 22:59
  • @mjwills, Obscurity is not security. –  Mar 18 '18 at 23:16
  • @mjwills. My first comment has nothing to do with setting permissions at the file level :) –  Mar 18 '18 at 23:32
  • I've answered a similar question in the past. Basically, you need to "Gate" your content behind a controller/action so that you can use the built in authorization components to ensure you are returning the right stuff for the right user. https://stackoverflow.com/questions/7208120/in-asp-net-mvc-is-there-a-good-library-or-pattern-to-follow-when-saving-users-c/7560390#7560390 – Tommy Mar 18 '18 at 23:56
  • 1
    @Tommy I think this is the way out. The images are already in a shared network folder. Then I would need an action to return the corresponding file per user (files paths are in the database per user). Creating a virtual directory is not a choice due to security reasons. – Adanay Martín Mar 19 '18 at 02:14

1 Answers1

1

All the static content, like images,css,javascript are served directly by IIS, not involving MVC pipeline.So by adding the following tag in web.config file you can make sure that all the request will be servered by MVC pipeline.this will restrict the direct access to the images.

<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
</system.webServer>

Now you have to create a ActionFilter that will check whether the valid users are accessing the files or not.for that you have to add some unique identification number in image name.

Whenever user makes request for image just get the file name and extract the unique number from it. and compare with current logged in user.

Mannan Bahelim
  • 1,289
  • 1
  • 11
  • 31