Geek Answers Handbook

How to programmatically check EFFECTIVE delete (change) or write permission in .NET?

Sorry in advance for the long question. I'm really interested in programmatically checking if the Windows executable identifier matches the appropriate Windows privileges for writing to a directory (or file) in an ASP.NET web services application. But I agree to obtain effective delete (change) rights for the user for this directory or file. The problem is that I would like to be able to do this without typing temporary files or not necessarily performing an IO action and handling the exception.

Yes, there is a question about this already (see How can I programmatically determine if I have write permissions using C # in .Net? ) I usually agree with the accepted answer that the best method is to simply try the IO action and handle any exceptions - System.IO methods really throw a System.UnauthorizedAccessException to indicate a failure as a result of a privilege failure. But in the case of UPLOADING files, I would really like to check the privileges before spending time and resources on downloading data, since only AFTER the download, we can try to write the corresponding file or folder. I regret that any users upload a 2 GB file via http only after it is established after the download is complete that they do not have permission to upload the file to the destination.

The usual approach to testing write access, if you do not want to do the actual recording, is to write a temporary file. There is an answer to another question indicating this. This is what our code is currently doing. BUT window protection provides write access without deletion privileges. Users who have ONLY write access, but without deletion, leave all kinds of restored .tmp files. And no, we donโ€™t want to use a domain administrator account to reset the ACL in tmp files, and then delete them. The approach I took was to check if the user has write permissions using System.IO.Directory.GetAccessControl (..) or System.IO.File.GetAccessControl (..) and deals with various access rules and ACE returns ... but with this I still have problems with EFFECTIVE privileges, that is, in most cases I also need to look for user membership in any of the groups listed in ACE that have object permissions. There should be an easier way ... doesnโ€™t exist?

+3
source share
3 answers

Well, for the fact that he went the extra mile, and I try to maintain a clean program structure. Perhaps if you download only you can try to create an empty "placeholder" file with the same name as the last 2GB file, and then just overwrite it. Not ideal, as you can still get an empty file, but quite lightweight and at least a little more elegant than some alternatives.

+3
source

You may also have a persistent file, for example, 'access_test.txt', which you are trying to overwrite with datestamp or something primarily to check for current access.

+1
source

@Paul, I really like your answers, and I think that in ordinary web applications, where there is a well-known and relatively small set of potential directories for the target download, you have the right solution: 1 - If the application can have users who do not have Append Data attributes, all upload directories must have a well-known test file that verifies the upload operations to verify before loading.
2 - If there are no problems with Append Data privileges, the application can simply write out an empty version of the file and add to it at boot time. I accept your answer to make sure you deserve it.

Unfortunately, in my application, we do not have a finite or known set of downloadable target directories - any shared resource or folder on the network can be accessed. What we are going to implement is buffering the downloaded data in relatively small fragments and opening the target file in Append mode. But keep FileStream OPEN at boot time (yes, there are problems handling FileStreams that live for a long time). gives a quick exception (occurs as soon as the first fragment is written to the FileStream) if there are no write permissions independent of Append Data privileges. But I would not recommend this design to anyone - if you can handle it, try one of @Paul's suggested solutions. And if you donโ€™t need to worry about an early exchange of lack of write permissions at boot, just handle the exceptions and donโ€™t worry about it.

0
source

More articles:


All Articles