1

I have a file system and a specific path structure on my server that that is accessed by impersonated users.

There is a case that a user can't check his own folders existence.

My folder structure is as the following.

Base Path(only admin)
   +->User Profile(only admin)
      +->User's Area( owner user and andmin )

As an example:

...\Base Path\John's Profile\John's area

On the file system (NTFS permissions) John only has the rights to access (NTFS permissions) John's Area. And I need to check the existence of John's area programmatically. 

Directory.Exists("...some other path parts...\Base Path\John's Profile\John's Area");

This returns true if I impersonate the admin, but it returns false if I impersonate John.

I thought John would be able to check his own folders existence -since in file system even if he cannot browse through Base Path -> John's Profile to his area, he can directly go to ...\Base Path\John's Profile\John's Area.

What permissions does he need to check that folders existence? Or is there something basic am I missing?

Tolga Evcimen
  • 7,112
  • 11
  • 58
  • 91
  • Are you sure that `...\ ` works? I know this would have worked in Windows XP, but I'm not so sure about more recent versions of Windows. Perhaps try `..\..\ ` instead. – stakx - no longer contributing Oct 27 '14 at 14:36
  • the dots are just cover for unnecessary path here. For visual sake. – Tolga Evcimen Oct 27 '14 at 14:40
  • Just an idea: maybe you should access current user folder differently, not through base path? Thinking of something like [this](http://stackoverflow.com/a/1141813/1997232). – Sinatr Oct 27 '14 at 15:01
  • Thanks for the idea, but I am not actually going through those folders. I just wanted to make the case clear. On windows if I go through those paths it fails, but I can directly jump to the full path. But programmatically I cannot check the full paths existance. – Tolga Evcimen Oct 27 '14 at 15:10
  • My crystal ball says that the user account doesn't have the "List folder contents" right on the parent directories. – Hans Passant Oct 27 '14 at 15:24
  • The term "parent directories" gives me the itches :/ Does it mean user should have "List folder contents" right on each directory up to the root? Because User has "List folder contents" right on the first parent directory only not above it. – Tolga Evcimen Oct 28 '14 at 06:25
  • Sounds like you need to use admin privved account to check for each step of the directory path until you have confirmed the user's directory exists. Then you can swap over to impersonating the user and check if they can access that directory. – StarPilot May 18 '15 at 22:11

1 Answers1

0

Well, it sounds like this could be a ASP.NET web-site. If that is the case, your application is being hosted by Internet Information Services. So you'll have to ensure that the worker process for the system, has proper permissions to the directory. Without it, the I/O functions will not succeed.

  • IIS_IUsr is I believe the user.

You have to remember that though it runs on the server within IIS, it isn't using a logged-in user. It is using the IIS Built-In User.

If this isn't hosted within IIS, then your impersonation approach should work. Make sure that it is properly impersonating the account.

You can also do a check like this to verify:

public static bool ValidateIOPermission(string path)
{
     try
     {
          if(Directory.Exist(path))
               return true;

          else { Directory.CreateDirectory(path); }
     }

     catch(Exception ex) { return false; }
}

So, if it exist it will return true; if it doesn't it attempts to write the directory. Then it will throw exception if it fails to write, returning a false. So you'll know if it has failed.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Greg
  • 11,302
  • 2
  • 48
  • 79
  • Yes it is an mvc web application. But isn't it a little wierd that when I impersonate the admin it succeeds despite that it uses `IIS_IUsr` as built in user(if no matter who I impersonate it uses the built in user as you say)? – Tolga Evcimen Oct 27 '14 at 14:44
  • It obviously isn't correctly impersonating if you can't `write` to the directory. – Greg Oct 27 '14 at 14:48
  • Who said that I cannot write into the directory? – Tolga Evcimen Oct 27 '14 at 14:54