How to tell if you have Read access to a network folder?

[Mitchell S. Honnert]

Is there a way, given the full path of a folder on a network, that one can
programatically tell if you have Read access to that folder?

I have an application where the user is able to select a number of search
folders using the standard dialog control. There shouldn't be an issue with
the search folder being on a local drive or a network drive. But if you
don't have Read access to the folder, there's trouble. The user can see the
folder on the network, so is able to select it in the dialog. But they're
not actually able to see any files in the folder, which makes selecting it
as a search folder kind of pointless. What I'd like to do it, at the time
the user selects a network folder, check to see if the user actually has the
ability to see files within the folder as well.

I've tried playing around with the IO.Directory class and other class in IO,
but if the solution is in there, I guess I'm just not finding it. I suppose
I could just try and read the files in the directory and catch the access
exception, but this just seems kludgy. If there's a better way, I'd like to
use that.

Thank,

- Mitchell S. Honnert

 

[Jay B. Harlow [MVP - Outlook]]

Mitchell,
In VS 2002 & 2003 (.NET 1.0 & 1.1) there is nothing available sans P/Invoke.

VS 2005 (.NET 2.0) includes a new System.Security.AccessControl namespace
that makes this relatively easy.

http://msdn2.microsoft.com/en-us/library/tbsb79h3(en-US,VS.80).aspx


You can use the new File.GetAccessControl to get the
AuthorizationRuleCollection for a file:

http://msdn2.microsoft.com/en-us/library/system.io.file.getaccesscontrol.aspx

You can use the new Directory.GetAccessControl to get the
AuthorizationRuleCollection for a directory:
http://msdn2.microsoft.com/en-us/library/4kds9zxc(en-US,VS.80).aspx

From looking at these two, these give you explicit permissions, not
effective permission for a user. I don't see right now how to do "Effective
Permissions" as found on the "Advanced Security Settings for ..." dialog
from the Security tab of the file Properties in Windows Explorer on Windows
XP.


Here's a quick sample on getting the explicit permissions on a file.

Imports System.IO
Imports System.Security.AccessControl
Imports System.Security.Principal

Public Sub Main()
Const fileName As String = "\Windows\Microsoft.NET\Framework\"

Dim security As FileSecurity = File.GetAccessControl(fileName)

Dim accessRules As AuthorizationRuleCollection =
security.GetAccessRules(True, True, GetType(NTAccount))

For Each rule As FileSystemAccessRule In accessRules
Debug.WriteLine(rule.FileSystemRights,
rule.IdentityReference.Value)
Next

End Sub

If I find an example that gives effective permissions I'll post a follow up.

I am not seeing any thing on Keith Brown's blog right now:

http://pluralsight.com/blogs/keith/

Keith Brown is author of "The .NET Developer's Guide to Windows Security"
which I highly recommend.

http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HomePage.html

The following article explains the NTAccount object I use in the above
sample:

http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToProgramWithSIDs.html

Again, if I find anything further I will post.

--
Hope this helps
Jay [MVP - Outlook]
..NET Application Architect, Enthusiast, & Evangelist
T.S. Bradley - http://www.tsbradley.net


| Is there a way, given the full path of a folder on a network, that one can
| programatically tell if you have Read access to that folder?
|
| I have an application where the user is able to select a number of search
| folders using the standard dialog control. There shouldn't be an issue
with
| the search folder being on a local drive or a network drive. But if you
| don't have Read access to the folder, there's trouble. The user can see
the
| folder on the network, so is able to select it in the dialog. But they're
| not actually able to see any files in the folder, which makes selecting it
| as a search folder kind of pointless. What I'd like to do it, at the time
| the user selects a network folder, check to see if the user actually has
the
| ability to see files within the folder as well.
|
| I've tried playing around with the IO.Directory class and other class in
IO,
| but if the solution is in there, I guess I'm just not finding it. I
suppose
| I could just try and read the files in the directory and catch the access
| exception, but this just seems kludgy. If there's a better way, I'd like
to
| use that.
|
| Thank,
|
| - Mitchell S. Honnert
|
|

 

[Jay B. Harlow [MVP - Outlook]]

Doh!
| VS 2005 (.NET 2.0) includes a new System.Security.AccessControl namespace
| that makes this relatively easy.
I really should have said "that should make this relatively easy"...

--
Hope this helps
Jay [MVP - Outlook]
..NET Application Architect, Enthusiast, & Evangelist
T.S. Bradley - http://www.tsbradley.net


message | Mitchell,
| In VS 2002 & 2003 (.NET 1.0 & 1.1) there is nothing available sans
P/Invoke.
|
| VS 2005 (.NET 2.0) includes a new System.Security.AccessControl namespace
| that makes this relatively easy.
|
| http://msdn2.microsoft.com/en-us/library/tbsb79h3(en-US,VS.80).aspx
|
|
| You can use the new File.GetAccessControl to get the
| AuthorizationRuleCollection for a file:
|
|
http://msdn2.microsoft.com/en-us/library/system.io.file.getaccesscontrol.aspx
|
| You can use the new Directory.GetAccessControl to get the
| AuthorizationRuleCollection for a directory:
| http://msdn2.microsoft.com/en-us/library/4kds9zxc(en-US,VS.80).aspx
|
| From looking at these two, these give you explicit permissions, not
| effective permission for a user. I don't see right now how to do
"Effective
| Permissions" as found on the "Advanced Security Settings for ..." dialog
| from the Security tab of the file Properties in Windows Explorer on
Windows
| XP.
|
|
| Here's a quick sample on getting the explicit permissions on a file.
|
| Imports System.IO
| Imports System.Security.AccessControl
| Imports System.Security.Principal
|
| Public Sub Main()
| Const fileName As String = "\Windows\Microsoft.NET\Framework\"
|
| Dim security As FileSecurity = File.GetAccessControl(fileName)
|
| Dim accessRules As AuthorizationRuleCollection =
| security.GetAccessRules(True, True, GetType(NTAccount))
|
| For Each rule As FileSystemAccessRule In accessRules
| Debug.WriteLine(rule.FileSystemRights,
| rule.IdentityReference.Value)
| Next
|
| End Sub
|
| If I find an example that gives effective permissions I'll post a follow
up.
|
| I am not seeing any thing on Keith Brown's blog right now:
|
| http://pluralsight.com/blogs/keith/
|
| Keith Brown is author of "The .NET Developer's Guide to Windows Security"
| which I highly recommend.
|
| http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HomePage.html
|
| The following article explains the NTAccount object I use in the above
| sample:
|
|
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToProgramWithSIDs.html
|
| Again, if I find anything further I will post.
|
| --
| Hope this helps
| Jay [MVP - Outlook]
| .NET Application Architect, Enthusiast, & Evangelist
| T.S. Bradley - http://www.tsbradley.net
|
|
| || Is there a way, given the full path of a folder on a network, that one
can
|| programatically tell if you have Read access to that folder?
||
|| I have an application where the user is able to select a number of search
|| folders using the standard dialog control. There shouldn't be an issue
| with
|| the search folder being on a local drive or a network drive. But if you
|| don't have Read access to the folder, there's trouble. The user can see
| the
|| folder on the network, so is able to select it in the dialog. But
they're
|| not actually able to see any files in the folder, which makes selecting
it
|| as a search folder kind of pointless. What I'd like to do it, at the
time
|| the user selects a network folder, check to see if the user actually has
| the
|| ability to see files within the folder as well.
||
|| I've tried playing around with the IO.Directory class and other class in
| IO,
|| but if the solution is in there, I guess I'm just not finding it. I
| suppose
|| I could just try and read the files in the directory and catch the access
|| exception, but this just seems kludgy. If there's a better way, I'd like
| to
|| use that.
||
|| Thank,
||
|| - Mitchell S. Honnert
||
||
|
|

 

[Jay B. Harlow [MVP - Outlook]]

Mitchell,
The following article introduces the new System.Security.AccessControl
namespace:

http://msdn.microsoft.com/msdnmag/issues/05/01/SecurityBriefs/

--
Hope this helps
Jay [MVP - Outlook]
..NET Application Architect, Enthusiast, & Evangelist
T.S. Bradley - http://www.tsbradley.net


| Is there a way, given the full path of a folder on a network, that one can
| programatically tell if you have Read access to that folder?
|
| I have an application where the user is able to select a number of search
| folders using the standard dialog control. There shouldn't be an issue
with
| the search folder being on a local drive or a network drive. But if you
| don't have Read access to the folder, there's trouble. The user can see
the
| folder on the network, so is able to select it in the dialog. But they're
| not actually able to see any files in the folder, which makes selecting it
| as a search folder kind of pointless. What I'd like to do it, at the time
| the user selects a network folder, check to see if the user actually has
the
| ability to see files within the folder as well.
|
| I've tried playing around with the IO.Directory class and other class in
IO,
| but if the solution is in there, I guess I'm just not finding it. I
suppose
| I could just try and read the files in the directory and catch the access
| exception, but this just seems kludgy. If there's a better way, I'd like
to
| use that.
|
| Thank,
|
| - Mitchell S. Honnert
|
|

 

[Mitchell S. Honnert]

Jay, thank you very much for the reply. I'll look over the links you
provided, but it really looks like you've steered me in the right direction.

- Mitchell S. Honnert

Mitchell,
In VS 2002 & 2003 (.NET 1.0 & 1.1) there is nothing available sans
P/Invoke.

VS 2005 (.NET 2.0) includes a new System.Security.AccessControl namespace
that makes this relatively easy.

http://msdn2.microsoft.com/en-us/library/tbsb79h3(en-US,VS.80).aspx


You can use the new File.GetAccessControl to get the
AuthorizationRuleCollection for a file:

http://msdn2.microsoft.com/en-us/library/system.io.file.getaccesscontrol.aspx

You can use the new Directory.GetAccessControl to get the
AuthorizationRuleCollection for a directory:
http://msdn2.microsoft.com/en-us/library/4kds9zxc(en-US,VS.80).aspx

From looking at these two, these give you explicit permissions, not
effective permission for a user. I don't see right now how to do
"Effective
Permissions" as found on the "Advanced Security Settings for ..." dialog
from the Security tab of the file Properties in Windows Explorer on
Windows
XP.


Here's a quick sample on getting the explicit permissions on a file.

Imports System.IO
Imports System.Security.AccessControl
Imports System.Security.Principal

Public Sub Main()
Const fileName As String = "\Windows\Microsoft.NET\Framework\"

Dim security As FileSecurity = File.GetAccessControl(fileName)

Dim accessRules As AuthorizationRuleCollection =
security.GetAccessRules(True, True, GetType(NTAccount))

For Each rule As FileSystemAccessRule In accessRules
Debug.WriteLine(rule.FileSystemRights,
rule.IdentityReference.Value)
Next

End Sub

If I find an example that gives effective permissions I'll post a follow
up.

I am not seeing any thing on Keith Brown's blog right now:

http://pluralsight.com/blogs/keith/

Keith Brown is author of "The .NET Developer's Guide to Windows Security"
which I highly recommend.

http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HomePage.html

The following article explains the NTAccount object I use in the above
sample:

http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToProgramWithSIDs.html

Again, if I find anything further I will post.

--
Hope this helps
Jay [MVP - Outlook]
.NET Application Architect, Enthusiast, & Evangelist
T.S. Bradley - http://www.tsbradley.net


| Is there a way, given the full path of a folder on a network, that one
can
| programatically tell if you have Read access to that folder?
|
| I have an application where the user is able to select a number of
search
| folders using the standard dialog control. There shouldn't be an issue
with
| the search folder being on a local drive or a network drive. But if you
| don't have Read access to the folder, there's trouble. The user can see
the
| folder on the network, so is able to select it in the dialog. But
they're
| not actually able to see any files in the folder, which makes selecting
it
| as a search folder kind of pointless. What I'd like to do it, at the
time
| the user selects a network folder, check to see if the user actually has
the
| ability to see files within the folder as well.
|
| I've tried playing around with the IO.Directory class and other class in
IO,
| but if the solution is in there, I guess I'm just not finding it. I
suppose
| I could just try and read the files in the directory and catch the
access
| exception, but this just seems kludgy. If there's a better way, I'd
like
to
| use that.
|
| Thank,
|
| - Mitchell S. Honnert
|
|

 

[Jay B. Harlow [MVP - Outlook]]

Mitchell,
Reviewing Keith Brown's book something just occurred to me.

The user running the code is going to need a certain amount of permission to
get the list of permissions on an object (file), generally the "Read
Permissions" permission.

If the user doesn't have the "Read Permissions" permission I suspect that
File.GetAccessControl will throw an UnauthorizedAccessException, which I
believe is the same as when you attempt to open it for reading & you don't
have the "Read Data" permission...


--
Hope this helps
Jay [MVP - Outlook]
..NET Application Architect, Enthusiast, & Evangelist
T.S. Bradley - http://www.tsbradley.net


| Jay, thank you very much for the reply. I'll look over the links you
| provided, but it really looks like you've steered me in the right
direction.
|
| - Mitchell S. Honnert
|
|
| message | > Mitchell,
| > In VS 2002 & 2003 (.NET 1.0 & 1.1) there is nothing available sans
| > P/Invoke.
| >
| > VS 2005 (.NET 2.0) includes a new System.Security.AccessControl
namespace
| > that makes this relatively easy.
| >
| > http://msdn2.microsoft.com/en-us/library/tbsb79h3(en-US,VS.80).aspx
| >
| >
| > You can use the new File.GetAccessControl to get the
| > AuthorizationRuleCollection for a file:
| >
| >
http://msdn2.microsoft.com/en-us/library/system.io.file.getaccesscontrol.aspx
| >
| > You can use the new Directory.GetAccessControl to get the
| > AuthorizationRuleCollection for a directory:
| > http://msdn2.microsoft.com/en-us/library/4kds9zxc(en-US,VS.80).aspx
| >
| > From looking at these two, these give you explicit permissions, not
| > effective permission for a user. I don't see right now how to do
| > "Effective
| > Permissions" as found on the "Advanced Security Settings for ..." dialog
| > from the Security tab of the file Properties in Windows Explorer on
| > Windows
| > XP.
| >
| >
| > Here's a quick sample on getting the explicit permissions on a file.
| >
| > Imports System.IO
| > Imports System.Security.AccessControl
| > Imports System.Security.Principal
| >
| > Public Sub Main()
| > Const fileName As String = "\Windows\Microsoft.NET\Framework\"
| >
| > Dim security As FileSecurity = File.GetAccessControl(fileName)
| >
| > Dim accessRules As AuthorizationRuleCollection =
| > security.GetAccessRules(True, True, GetType(NTAccount))
| >
| > For Each rule As FileSystemAccessRule In accessRules
| > Debug.WriteLine(rule.FileSystemRights,
| > rule.IdentityReference.Value)
| > Next
| >
| > End Sub
| >
| > If I find an example that gives effective permissions I'll post a follow
| > up.
| >
| > I am not seeing any thing on Keith Brown's blog right now:
| >
| > http://pluralsight.com/blogs/keith/
| >
| > Keith Brown is author of "The .NET Developer's Guide to Windows
Security"
| > which I highly recommend.
| >
| > http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HomePage.html
| >
| > The following article explains the NTAccount object I use in the above
| > sample:
| >
| >
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToProgramWithSIDs.html
| >
| > Again, if I find anything further I will post.
| >
| > --
| > Hope this helps
| > Jay [MVP - Outlook]
| > .NET Application Architect, Enthusiast, & Evangelist
| > T.S. Bradley - http://www.tsbradley.net
| >
| >
| > | > | Is there a way, given the full path of a folder on a network, that one
| > can
| > | programatically tell if you have Read access to that folder?
| > |
| > | I have an application where the user is able to select a number of
| > search
| > | folders using the standard dialog control. There shouldn't be an
issue
| > with
| > | the search folder being on a local drive or a network drive. But if
you
| > | don't have Read access to the folder, there's trouble. The user can
see
| > the
| > | folder on the network, so is able to select it in the dialog. But
| > they're
| > | not actually able to see any files in the folder, which makes
selecting
| > it
| > | as a search folder kind of pointless. What I'd like to do it, at the
| > time
| > | the user selects a network folder, check to see if the user actually
has
| > the
| > | ability to see files within the folder as well.
| > |
| > | I've tried playing around with the IO.Directory class and other class
in
| > IO,
| > | but if the solution is in there, I guess I'm just not finding it. I
| > suppose
| > | I could just try and read the files in the directory and catch the
| > access
| > | exception, but this just seems kludgy. If there's a better way, I'd
| > like
| > to
| > | use that.
| > |
| > | Thank,
| > |
| > | - Mitchell S. Honnert
| > |
| > |
| >
| >
|
|