3

I am trying to restrict users(except admin) to access my folder images. For example the path is:

~/content/images/coverBeg.jpg

If the user navigates to domain/content/images/coverBeg.jpg, he can see the file. I've tryied different sort of things but none of them worked for me. In web config file i've added :

    <location path="~/content/images">
    <system.web>
      <authorization>
        <allow roles="Admin"/>
        <deny users ="*" />
      </authorization>
    </system.web>
  </location>

With no success. After that i've added a web config file to images folder and add those lines of code :

<?xml version="1.0"?>
<configuration>

    <system.web>
      <authorization>
        <allow roles="Admin"/>
        <deny users ="*" />
      </authorization>
    </system.web>

</configuration>

Neither this worked for me. Still everyone can access coverBeg.jpg file

ucnobi ucnobi
  • 255
  • 1
  • 5
  • 16

1 Answers1

3

It's because static content, like images, are served directly by IIS, not involving MVC pipeline. To change that, you can do the following:

add 

<modules runAllManagedModulesForAllRequests="true">

to <system.webServer> section of site's web.config. It will run MVC pipeline for every request, including static files - like css, js and images.

Then your config from above will work (I mean your 2nd approach).

berliner
  • 1,887
  • 3
  • 15
  • 23
  • Does it safe approach? There are files where users should pay to access, is it safe? – ucnobi ucnobi Feb 13 '16 at 16:59
  • 2
    @ucnobiucnobi as safe as all the rest authentication/authorization mechanism. Basically, what it does - it says IIS to send there requests to MVC, and then standard MVC approach work. – berliner Feb 13 '16 at 17:01