| If I'm understanding this correctly then I will need to walk through the
| "FileSystemAccessRules" and accumulate what's allowed and denied. I will
| also need to interpret if the user is a member of that group for each
rule.
That's right, you need to do exactly as the OS (the FileSystem in case of
File or Directory) does when accessing the object.
| My understanding is that explicit rules take precedence over inherited
rules
| (can I tell the difference?).
Yes, they do.
Sure, take a look at the IsInherited propery.
Also, denied take precedence over allowed. Do
| I just assume owners have full control?
|
Denied take precedence.
Owners have it by default, but this can be changed.
| This just seems like a lot of work for something windows does for you when
| you try to create, delete, modify files and folders.
Yes, object access and security checking is hard in Windows, and that
doesn't change with .NET, really. And it's something you should never do
from end-user code, the security API's are mainly meant to be used from
management and security editing applications, not really from user
applications that want to perform access checks.
All you should do from user code is try to open the object, the OS will
perform the required access checks, if it fails you will get a security
exception, if it succeeds you are done. Failures should be really
exceptional when administrator have done their job, most of the time they
point to illegal access.
I can't help but think
| there must be a better solution. I basically want the Effective
Permissions
| tab in Windows Explorer Properties.
What exactly do you mean by this? Do you want to display the same dialog as
the security editor from your code, or do you want to get the same
information? Quite a different task really. You won't find anything simpler,
really.
I've run across references to an
| "AccessCheck" function (for Win32), but I have yet find anything
| specifically for .NET.
AccessCheck is a complex function, before you can call it you need to fetch
a security descriptor, an access token, you need to construct a generic mask
and you need to check the out parameters when done, and don't forget to
check the return code and call SetLastError when anything fails. The lines
of code will largely exceed the pure managed solution (not to mention it's
error prone).
I suppose I could wrap the Win32 dlls, but I'm still
| holding out for a .NET solution. Another solution I've been considering is
| just creating a temporary files and folder in the folders I want to check
| and catch exceptions to determine what's allow when I try to manipulate.
Of
| course I could end up littering files if I can't delete them.
| Any additional comments are appreciated. Thank you.
You don't need to do this, if your Folder and it's inheritance chain is
set-up correctly for the application at hand.
Willy.
