File Permissions

[SeanGrebey]

I currently have an application I wrote for a company to manage their projects. We've developed it enough over time that it has become fairly useful for them, and other companies in their industry have expressed an interest in using it as well, so they are looking for ways to turn around and sell rights to use it. Then general approach we were looking at is for them to host the site, and then people who log into it obviously only have access to their own products and any features they want to purchase. WHich is obviously a bit of a change from a single company environment. One of the big features of the current system is that they currently can upload different CAD drawing, contracts, etc to the website. Right now I just use the web.config files to like the stuff down, make sure sensitive stuff is locked to the administrative level, shared stuff to administrators and users. I'm not really sure how I go about this from multiple company approach. I would tend to lean toward a public and secure folder for each company, but file permissions have to be set from the file system level (e.g. how do I create a folder automatically from the website and then give it read/write/delete access), and then how do I secure the files properly so that users from one company can't type in the URL to another company's folder and get access to their files. Any help on this would be great. Not really my area of expertise.

[sapator]

You secure the folders as you secure pages in web config (with location element). So you can set all company users in a role,let's say CompanyArole, and you only allow users from role CompanyArole to access a folder, accordingly you set a role for users in another company, let's say CompanyBrole and you only allow users of CompanyBrole to access a folder. You don't need to go to the server and set different security level for each company,If doable anyhow. If you want to secure folders auto created then of course auto adding them to web.config will be a problem. However you can try this approach: You create a root folder for a company and in that folder you create a new web config. You set the role for the company and you leave the 'path' attribute empty. According to micro$oft: Using location with a missing path attribute applies the configuration settings to the current directory and all child directories. So any folders you create under the root folder will automatically only get the company role you have specified.
Let me know if the last part works as expected, as i haven't tried it.

[gep13]

Hey,

Another approach would be to use an HttpHandler for any request for a particular file type. In the HttpHandler, you would then do the look up against "somewhere" to figure out whether or not the user had permissions to that file.

Gary