Is there any way to get list of all users who have access to a SVN project with SharpSVN?
A user may not add/edit any file, yet, but he has access to that project.
No. Whoever has access is determined by the server and there is no way to retrieve this for any specific server. On the server side you might look in the config files to see who has access, but this could be something like 'anybody on this active directory domain'.
Related
I have an Application that needs to store User Info such as their Username and there score and etc...
I have selected LocalApplicationData of the Environment.SpecialFolder Enumeration.
but I can access the directory for my application manually using file explorer and can edit or delete the file that can prove as a weak spot for the application and the users may be able to mess with my application.
So, Is there any directory that I can write to using code that the user will not be able to access it.
tnx
Is there any directory that I can write to using code that the user will not be able to access it.
No. An application run by a user account has the same privileges and permissions as that user. Therefore, there is no way that the application could do something the user couldn't do on his own.
If the data you need to store is intended to be browsed or modified by the user, it should go in Environment.SpecialFolder.Personal.
Otherwise, data should be stored in either Environment.SpecialFolder.ApplicationData (if it should roam with the user account) or Environment.SpecialFolder.LocalApplicationData (if it should not roam with the user, and instead should be limited to the local machine).
Yes, the user can get into these folders and destroy the data. By doing so, they run the risk of breaking your application. You can't secure yourself from yourself.
Develop a "repair" utility that can recover from the damage by recreating the necessary files on startup of your application if necessary.
As your application is running with your users privileges, there is no place your application can access that your user would not be able to access.
Your only option is to use encryption so your user cannot tamper with the file easily once it's written. But even then... what you did with the user's privileges can be undone by the user with the same privileges. You can only make it hard enough so he or she won't bother.
You can not prevent use open the file, but have some method to check if a file is being modified by user.
You can save it at Registry, or if your data is big, you can encrypt it before save to file. When you encrypt data, user can not know which infomartion it contains, and if user open the file and modify it, the data become invalid and you can know it is modified.
The situation I'm trying to address is this: I'm writing an application which multiple users will have access to. Access is restricted based on Windows permissions for folders - users will be granted access to the folder containing the application if needed.
For better or worse, the application stores its data in files on the same network as the application. I don't want users to be able to edit the data directly, so I plan to restrict access to the data files.
The approach I've been trying to use is then to have a 'service user' which does have read/write access to the data, and to use impersonation within the application to 'login' as the service user, perform required read/write, and return to the original user.
I've had a few different attempts at this without luck. Perhaps the simplest/most promising is based on Mark Johnson's answer here:
How do you do Impersonation in .NET?
I use it as follows:
using (new Impersonation(serviceAccount.Domain, serviceAccount.UserName, serviceAccount.Password))
{
DoImport(app);
}
where 'DoImport(app)' performs the reading of the data.
However, this gives an error 'Access to the path '...' is denied'. I'm trying to run this locally (the path is C:...) where I've restricted access to the path for the user I'm logged into but the user I'm trying to impersonate with has access.
Is there something I'm doing wrong here? Is there a better way to achieve what I'm after?
Thanks,
Andrew
The code at the below link seems to do what I'm after:
http://www.codeproject.com/Articles/10090/A-small-C-Class-for-impersonating-a-User
I think the token duplication is the important part, but I'm not exactly sure why.
I did have a further issue doing this - any assemblies that needed to be loaded for the 'DoImport(...)' function couldn't be loaded after the impersonation, access was denied for some reason (sorry for the vagueness, I didn't have time to look into this). Ensuring they're loaded before doing the impersonation, either through some dummy function calls or code to force load (see e.g. Is there a way to force all referenced assemblies to be loaded into the app domain?) did the trick.
The fact the user, which is logged on (or which you try to impersonate) has access rights to the files, does NOT imply, that the application, that you are running, has the rights.
Have you considered running the application under administrator rights? (You got to grant the access to the files to the application!)
Or, if you use debugging and are running it from VisualStuido (or other IDE), try running the IDE under administrator rights first.
This can do the trick in most cases, however, storing the data on a drive, where the users have physical access to it is by no means something I would recommend, have you thought about different ways of storing and accessing your data? Or what are the reasons for having it this way?
You can't gain acces to other useraccounts without Administrator rights, but have you considered to put the files in a shared folder? If you want to identify the creater/owner of the file you could use getowner. Or you could use subfolders in the shared folder. I hope this will help.
In my ASP.NET application I have to show some images. Actually these images saved in some other server. In my database I have the file path. I need to access file from remote server to my application. How can I do that? I am using the following code
imgFiles = Directory.GetFiles(strFullPath,
strPkStock + "_*",
SearchOption.TopDirectoryOnly);
But this throws an error saying "Access to the path denied"
You have to have file system access on other server to do this and I am sure you will not have it.
The shortest way to get it done is, publish the images folder from other server and use the url of the images to access it rather then file system path. This way, your asp.net application will be able to easily access these images. In fact, it will be the client browser which will directly access these images from the other server, you will just change the src of images.
Murtuza Kabul's suggestion to access files over HTTP/HTTPS is probably easiest approach. You may use HTTPS with client ceritficates to prevent other users/machines to read files from the same HTTPS server.
If you want to access files directly on other server's shared folder you need to make sure that code that accesses files runs under account that have at least read permissions for that shared folder.
Note that default configuration (where code runs under either special anonymous account or calling user's credentials) account that code runs under will not have permissions on other servers (anonymous becuse it is local account, user's due to restrictions on delegation also called "NTLM one hop hell").
Your easiest bet is to run app polls under some account that have permissions on other server and de-impersonate current user to process account. You can also explcitly impresonate some account to access remote files.
I've been working on an asp.net 4.0 website and seem to be having an issue with deleting from the database stored in the app_data folder.
I created a domain group in the actice directory and used the web.config file to restrict access to certain pages that allow modifcation of the database. Everything worked fine on my test machine and the production server, but the issue is that on the server, even though it recognizes the user when you access the page, when you try to delete an item it denies access and does not allow you to delete the item.
The users had read/write permissions to the folder, but it still denied access. I did some testing and allowed everyone read/write acces, and it allowed me to delete, but I don't like having that option set up.
Does anyone know what causes this issue and what the proper fix would be? I'm assuming I have to let the website know which user is running the application before it tries to delete so they can write to the database, but I thought it would do that automatically since I used Windows authentication.
If anyone has any information I would greatly appreciate it.
The user account that is running the application pool for your website is the only user account that needs MODIFY permissions to that database file.
my problem is, I want to create a new folder and make it impossible (or reasonably hard) for the user to change its name or to delete it. The thing is, the user must be able to access the files contained within that folder and change them in any way he pleases. Using the examples I've been finding in the net all I get is making it impossible to change the files INSIDE the folder, and not the folder itself.
Thanks in advance ;)
As long as that folder is created by the user's account (assuming that you're creating the folder programmatically by your application), the user will be able to edit the folder. The best way to protect that folder from tampering would be to write a very small windows service that keeps that folder always open, thus preventing deletion/renaming.
This might be helpful.
http://technet.microsoft.com/en-us/library/cc732880.aspx
It seems you want to allow the "Create Files/Write Data" permission but not allow "control" of the parent folder.
You should be able to set up an ACL to do this. Give them "List folder contents" rights and then selectively give them additional extended rights without giving them modify attributes rights.
The service answer is a bad idea. I might work, but is not the best way to do it. The key with windows directory and folder security is the "owner" of a folder. As an administrator you can always take ownership of a folder or file. BUT if the file has a different owner and that owner has granted you rights you won't have any other rights until you go in and take ownership.
What you want to do is create a special account on the machine (often called a service account) which is the identity the program runs under. This account has admin rights and is the owner of any files it creates. Then it can allow whatever access it wants to grant to users of files and folders it creates.
The admin will always be able to take ownership if they want to, but most users don't even know how to do this.