2

I have an application where the admin user can create users and upload documents to the server for the created user to download.

When uploading a file it creates a folder using the userid as the folder name and saves in that folder within a folder called documents e.g. ~documents/77b29079-43d6-4520-bc34-77ae2af1b131/documentname.xls

The client then has to login and will see a list of available documents for that user only. The only problem is that if someone was to get hold of one of the urls to a document is can be downloaded without having to login.

Is there something I can do to stop access to these files?? I have tried editing the web.config file to only allow access to certain roles but i could still download a document without logging in.

<location path="documents">
    <system.web>
        <authorization>
            <allow roles="Admin, Client"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

Thanks for your help. J.

Jammer
  • 2,330
  • 11
  • 48
  • 77
  • 2
    Take a look at this : http://forums.asp.net/p/1481964/3460994.aspx ? – rlb.usa Jun 29 '11 at 17:05
  • Had a look at the link and tried to implement a custom handler but I just keep getting an error Could not load type 'DocTypeHandler.ashx', maybe need to post again to see what this is. – Jammer Jun 30 '11 at 10:25

1 Answers1

1

The link provided by @rlb.usa in the comments has two good methods. Another alternative is storing the documents in a database and using application code or database security to determine who has access to what. That of course, comes with a different set of problems and advantages. If you are using SQL Server, this hits on some of the pros and cons.

JasonS
  • 23,480
  • 9
  • 41
  • 46
  • Thanks for the tips guys, will have a look at them and see how i get on. I had thought of storing in a database, but i've looked into this before for a previous project but decided against it. – Jammer Jun 30 '11 at 08:32