Membership and File ACL

Posted By: fabian | Jul 19th @ 3:09 AM
page 1 of 1
Comments: 3 | Views: 810
#Jul 19th @ 3:09 AM
fabian
fabian

I have to create an asp.net image gallery type of application that allows users to upload files and for anonymous users to view those files. The owner should be allowed to delete own files.

 

The site will be using forms based authentication (asp.net membership) and will be running IIS 6, 2003 Server and SQL Server 2005.

 

One option is to store the images in the SQL Server. That will give me easy access to determine if a user is allowed to delete / alter an image.

 

Can I also use the file system for storage? How do I control access rights to the files? If I place a web.config in the root of the directory how can I specify, that only users that belong to a specific membership role,  can delete / alter files in that directory?

#Jul 19th @ 4:37 AM
ManipUni
ManipUni
Proving QQ for 5 years!

The database (SQL) solution seems the lesser of two evils.

One way to implement the file system based solution would be to, for example, have all of the images just be files with no special privileges at all, and then to setup the access rights using an XML database (single file).

e.g.
<ImageDatabase>
 <Image loc="images12/image123.jpg">
    <Access>
        <Name>Administrators</Name>
        <Rights>
            <Full Control />
        </Rights>
    </Access>
    <Access>
        <Name>Bob</Name>
        <Rights>
            <Delete />
            <Rename />  
        </Rights>
    </Access>
 </Image>
 <Image loc="images3/image1.jpg">
    <Access>
        <Name>Administrators</Name>
        <Full Control />
    </Access>
 </Image>
</ImageDatabase>

 

 

#Jul 19th @ 10:02 AM
fabian
fabian

Thank you for your reply Smiley I think i will go with the file based solution and then built my own logic around the access right issue.

#Jul 19th @ 2:20 PM
blowdart
blowdart
Peek-a-boo

In that case I'd store the files outside of the webroot, where it can't be directly accessed, or under app_data which can't be directly accessed either.

 

Then serve the files up via an asp.net handler, or a page, within which you can check role membership. And of course you can cache properly in there too.

page 1 of 1
Comments: 3 | Views: 810
Microsoft Communities