1

I m using Asp.net mvc to get my web site and it is used to show some files uploaded by the admin.

There is a directory (Upload) and admin puts the files on it.

Now the thing i want to know is that no one can access the file by just browsing the url below.

'www.mysite.com/Upload/somePdfFiles.pdf'

Now i want to disallow 'pdf' extension to be downloaded.

Alternatively, i m going to design a page and i m going to get the file path by query string,session etc so that i can download the file by myself. In this page i m going to check some privilege.

So how to disallow 'pdf' extension to be browsed.

brtb
  • 2,201
  • 6
  • 34
  • 53
  • http://stackoverflow.com/questions/2903292/how-do-i-protect-static-files-with-asp-net-form-auhentication-on-iis-7-5 – Khanh TO Apr 10 '16 at 10:08

2 Answers2

0

I don't think that's possible - you can't differentiate between viewing and downloading because ultimately the actual file content is sent down to the browser and that content is accessible by either saving a document, or by directly accessing the HTTP content with an HTTP client or an HTTP Proxy that can capture the downloaded data.

You can deny access to files in a number of ways so that they are not accessible at all, but you can't make a file 'read-only'. To deny access you can disable access to certain extensions using either IIS filtering, explicit Location exclusion (in web.config) or mapping the extension of choice to the HttpForbiddenHandler.

Whether you view a file as a document in browser or downloaded is determined via HTTP headers. If you don't explicitly specify a Content-Disposition: attachment; filename=<filename> in your headers, the browser will try to open the downloaded content inside of the Web browser using appropriate viewer. For PDF this usually means it'll show in the built in PDF viewer or installed PDF extension. But even if people use the viewer they can always save the document from the viewer so you can't make that content read only.

Rick Strahl
  • 17,302
  • 14
  • 89
  • 134
0

See HttpForbiddenHandler Class and use in your httpHandlers settings.

e.g.

Restrict links/direct requests to PDF files in /files folder only (403)

<system.webServer>    
    <handlers>
    <!-- If you want to restrict all links
    <add verb="*" name="RestrictPDFGlobal" path="*.pdf" type="System.Web.HttpForbiddenHandler"/>
    -->
      <add verb="*" name="RestrictPDF" path="/files/*.pdf" type="System.Web.HttpForbiddenHandler"/>
    </handlers>
</system.webServer>

Alternatively, i m going to design a page and i m going to get the file path by query string,session etc so that i can download the file by myself. In this page i m going to check some privilege.

You could do that (interesting note below) by privileged access - e.g. [Authorize] attribute

Sample, improve as needed:

in Home Controller:

[Authorize]
public FilePathResult DownloadPdf()
{
    var cd = new System.Net.Mime.ContentDisposition
    {
        FileName = "foo.pdf"                
    };
    Response.AppendHeader("Content-Disposition", cd.ToString());
    return File("~/files/foo.pdf", "application/pdf");
 }

View:

<p>@Html.ActionLink("PDF Download", "DownloadPdf", "Home")</p>

Note:

The interesting thing here (I don't know the answer), is why the restriction set in config "allows" this approach (where we "manually" return it via Controller -> Action vs a "direct" request like in a link).

Hth

EdSF
  • 11,753
  • 6
  • 42
  • 83