2

I have to check if user, that login into system and run the application, have a specified permissions on some file. User that run the application is in "BUILTIN\Administrators" group. While file is local all going fine. I use that code (adopted version from that answers Checking for directory and file write permissions in .NET):

private static bool HasPermission(FileSystemRights permission, AuthorizationRuleCollection  accessRules )
    {
        var allow = false;
        var inheritedDeny = false;
        var inheritedAllow = false;

        if (accessRules == null)
            return false;
        var currentUser = WindowsIdentity.GetCurrent();
        var currentPrincipal = new WindowsPrincipal(currentUser);

        foreach (FileSystemAccessRule rule in accessRules)
        {
            if ((permission & rule.FileSystemRights) != permission)
                continue;               

            if (!currentPrincipal.IsInRole(rule.IdentityReference.Value))
            {
                continue;
            }

            if (rule.AccessControlType == AccessControlType.Allow)
            {
                if (rule.IsInherited)
                    inheritedAllow = true;
                else
                    allow = true;
            }   
            else if (rule.AccessControlType == AccessControlType.Deny)
            {
                if (!rule.IsInherited)
                    return false;
                inheritedDeny = true;
            }

        }
        var combined =  allow || (inheritedAllow && !inheritedDeny);
        return combined;
    }

But when I try to check permissions on network shared file I have issue. For example file shared with FullControl access rule for remote computer user, that remote user also in "BUILTIN/Administrators" group. For "Everyone" group user it is ReadOnly file.

So when I check this with my current, local, log in user by using that code:

if (!currentPrincipal.IsInRole(rule.IdentityReference.Value))
{
    continue;
}

I do not go inside of IF condition due my log-in user also in "BUILTIN/Administrators" group. So code returns TRUE, but in real life I have no write access to that file.

How do can I distinct local and remote Administrator's group users?

PS: I do not want to use exceptions to check accessibility, this will be the "last hope code"

Community
  • 1
  • 1
user3790299
  • 21
  • 2
  • I think this is more a Windows permissions configuration issue more than a code thing. When you want to do file sharing (as you do) you should, normally, use domain groups and users, not local groups nor local users (such as builtin/administrators) because they are like independent worlds. So I would suggest creating a domain group with one user in it and use that account when connecting to the remote files (and to make things easier this will run your app process too), just a suggestion. – Jportelas Jun 30 '14 at 20:18
  • There is a case, that user share his files, and my application have to open it in write or read mode. And right now I can not decide which mode to choose without trying to modify file someway before opening it. I can not force user to share files some special way, I just need to choose - connect for write or read or do not connect at all. – user3790299 Jul 01 '14 at 13:04
  • Hi, If they want to share files they will have to explicitly assign users to the share at some point unless you use a domain administrator account (if I am not wrong). So unless you want to code a whole system to share files (e.g: where every client runs a local service that handles remote requests) you will have to ask the users to explicitly share the file with one user or group so this can work (that's the only way I know). – Jportelas Jul 02 '14 at 17:39
  • I want to clarify. It is not important how users share files. It is important that code above being asked for write permission returns true on files, which are definitely not accessible to write. I need somehow discover that without trying to open file for writing. – user3790299 Jul 02 '14 at 21:28
  • Ok, I think that you might need to check if the Windows user is in a role by the "SecurityID" and not by name since the name is going to be the same, check this: http://msdn.microsoft.com/en-us/library/wak3kd03(v=vs.110).aspx and hopefully I got you right this time. – Jportelas Jul 03 '14 at 13:30
  • Did you ever get an answer to this? I've got the same problem. I have a service that processes files in a directory and a configuration tool for the service. My users are asking me to deny users the ability to configure the service for a directory if they cannot write to it. I'm using similar code you have above, but it's not enough. Through network share all users have read access. – tdemay Jan 11 '18 at 23:29

0 Answers0