Check users directory permissions

[gareth]

Hi,

Does anyone know of a way of finding out if the currently logged in
user has read access to a directory without trying to open the
directory??

Thanks

gareth

 

[Nicholas Paldino [.NET/C# MVP]]

Gareth,

What kind of access are you looking for? I would try and get the
DirectoryInfo instance for the directory. Once you have that, you can call
the GetAccessControl method which will return a DirectorySecurity instance
that gives you information about the permissions on the directory.

 

[Willy Denoyette [MVP]]

Hi,

Does anyone know of a way of finding out if the currently logged in
user has read access to a directory without trying to open the
directory??

Thanks

gareth

This is not as easy as it looks like, I'm also not clear on why you need to
know why a user as read access to a *directory*, users are opening/reading
files not directories, and having read access to a directory doesn't
guarantee read access to a file contained in that directory.


Willy.

 

[gareth]

Hello Nicholas/Willy,

I'm trying to create a directory/file browser front end for a number
of Crystal Reports. The reports will be stored in a directory
structure according to the type of report that is being stored there,
e.g. telephony, IT, management etc.

It's a requirement that these reports can only be looked at by certain
people, i.e. non-management staff can't run management reports. The
easiest way to manage this is by using the file permissons on the
crystal reports and checking them against the currently logged in
user.

However, it's also a requirement that, if a user can't run a report
they can't even see it - so I need to check the permissions of each
file.

There is a similar requirement for the directories - if a user doesn't
have access to the directory, they can't see it.

Hope this makes sense...it's early!! )

Gareth

 

[gareth]

O.K. I've done this:

private bool CheckReadAccess(WindowsIdentity user,
DirectoryInfo directory)
{
// Get the collection of authorization rules that apply to
the current directory
AuthorizationRuleCollection acl =
directory.GetAccessControl().GetAccessRules(true, true,
typeof(System.Security.Principal.SecurityIdentifier));

// These are set to true if either the allow read or deny
read access rights are set
bool allowRead = false;
bool denyRead = false;

for (int x = 0; x < acl.Count; x++)
{
FileSystemAccessRule currentRule =
(FileSystemAccessRule)acl[x];
// If the current rule applies to the current user
if (user.User.Equals(currentRule.IdentityReference))
{
if
(currentRule.AccessControlType.Equals(AccessControlType.Deny))
{
if ((currentRule.FileSystemRights &
FileSystemRights.Read) == FileSystemRights.Read)
{
denyRead = true;
}
}
else if
(currentRule.AccessControlType.Equals(AccessControlType.Allow))
{
if ((currentRule.FileSystemRights &
FileSystemRights.Read) == FileSystemRights.Read)
{
allowRead = true;
}
}
}
}

if (allowRead & !denyRead)
return true;
else
return false;
}

Which works if the permissions are explicitly set for the given user
but fails if the permissions are set for a group the user is a member
of...

Any ideas?

Gareth

 

[Willy Denoyette [MVP]]

Hello Nicholas/Willy,

I'm trying to create a directory/file browser front end for a number
of Crystal Reports. The reports will be stored in a directory
structure according to the type of report that is being stored there,
e.g. telephony, IT, management etc.

It's a requirement that these reports can only be looked at by certain
people, i.e. non-management staff can't run management reports. The
easiest way to manage this is by using the file permissons on the
crystal reports and checking them against the currently logged in
user.

However, it's also a requirement that, if a user can't run a report
they can't even see it - so I need to check the permissions of each
file.

There is a similar requirement for the directories - if a user doesn't
have access to the directory, they can't see it.

Hope this makes sense...it's early!! )

Gareth

This is what role based security was made for, don't go down the level of
File System security for this.

....
WindowsIdentity wi = WindowsIdentity.GetCurrent();
WindowsPrincipal wp = new WindowsPrincipal(wi);
if(wp.IsInRole(@"BUILTIN\management"))
// Run management reports
else
// Handle other roles...

Willy.

 

[Willy Denoyette [MVP]]

O.K. I've done this:

private bool CheckReadAccess(WindowsIdentity user,
DirectoryInfo directory)
{
// Get the collection of authorization rules that apply to
the current directory
AuthorizationRuleCollection acl =
directory.GetAccessControl().GetAccessRules(true, true,
typeof(System.Security.Principal.SecurityIdentifier));

// These are set to true if either the allow read or deny
read access rights are set
bool allowRead = false;
bool denyRead = false;

for (int x = 0; x < acl.Count; x++)
{
FileSystemAccessRule currentRule =
(FileSystemAccessRule)acl[x];
// If the current rule applies to the current user
if (user.User.Equals(currentRule.IdentityReference))
{
if
(currentRule.AccessControlType.Equals(AccessControlType.Deny))
{
if ((currentRule.FileSystemRights &
FileSystemRights.Read) == FileSystemRights.Read)
{
denyRead = true;
}
}
else if
(currentRule.AccessControlType.Equals(AccessControlType.Allow))
{
if ((currentRule.FileSystemRights &
FileSystemRights.Read) == FileSystemRights.Read)
{
allowRead = true;
}
}
}
}

if (allowRead & !denyRead)
return true;
else
return false;
}

Which works if the permissions are explicitly set for the given user
but fails if the permissions are set for a group the user is a member
of...

Any ideas?

Gareth

You have to check all groups the user is member of, as I told you in another
reply this is both complex and expensive in terms of performance,
especially when a principal is member of a lot of groups where some of them
are domain groups.

Willy.

 

[gareth]

Hi,

I know it's not the best way of doing things but it's the way we have
to do them. The administrators are unwilling to modify the security in
anywhere but the directory and file permissions so that's what I need
to check.

This is what I've come up with:

System.Security.Principal.WindowsIdentity currentUser =
System.Security.Principal.WindowsIdentity.GetCurrent();
System.Security.Principal.WindowsPrincipal
currentPrinciple =
(WindowsPrincipal)System.Threading.Thread.CurrentPrincipal;

private bool CheckReadAccess(WindowsIdentity user,
WindowsPrincipal principal, DirectoryInfo directory)
{
// Get the collection of authorization rules that apply to
the current directory
AuthorizationRuleCollection acl =
directory.GetAccessControl().GetAccessRules(true, true,
typeof(System.Security.Principal.SecurityIdentifier));

// These are set to true if either the allow read or deny
read access rights are set
bool allowRead = false;
bool denyRead = false;

for (int x = 0; x < acl.Count; x++)
{
FileSystemAccessRule currentRule =
(FileSystemAccessRule)acl[x];
// If the current rule applies to the current user
if (user.User.Equals(currentRule.IdentityReference) ||
principal.IsInRole((SecurityIdentifier)currentRule.IdentityReference))
{
if
(currentRule.AccessControlType.Equals(AccessControlType.Deny))
{
if ((currentRule.FileSystemRights &
FileSystemRights.Read) == FileSystemRights.Read)
{
denyRead = true;
}
}
else if
(currentRule.AccessControlType.Equals(AccessControlType.Allow))
{
if ((currentRule.FileSystemRights &
FileSystemRights.Read) == FileSystemRights.Read)
{
allowRead = true;
}
}
}
}

if (allowRead & !denyRead)
return true;
else
return false;
}

Seems to work ok to me and doesn't seem that complex!

Thanks for your help.