Can access files, though I'm not supposed to have permission to do so

Eva Rasmussen

Posted on 05/10/2017 13:54:56

Hi guys,

DW has a feature to put permissions on a folder in Files, just as you would on pages, to make sure only users with the right logins can see them.

Although, I find that this does not work on files. I can still access the files if I have the link, although I don't have the permissions to see it.

I makes sense that this wouldn't work, since I'm accessing the files directly on the server with the link, and thus not going through DW.

But why do you have this feature then, and how is it supposed to work? :)

Best regards, Eva

Replies

Nicolai Pedersen

Posted on 05/10/2017 15:01:20

This post has been marked as an answer

Hi Eva

There is a very short description in the manual here: http://doc.dynamicweb.com/get-started/introduction/installation/installation#sideNavTitle1-5

There are 2 scenarios

Manage backend access - who can upload, browse and delete fils in a folder.
Manage frontend access - who can download files

@1: Folders will hold files that can be seen and downloaded in the frontend - so that is a pure backend ui thing to avoid users upload or delete the wrong files in the wrong places

@2: You want to disable direct download. To do that, you first need to set the secure folder under /Files (HAS to be files) - see dump #1.That will give you a "Secure" folder in the filemanager, see dump #2. Then you need to disable access to the files in IIS, see dump #3.

Now when browsing the frontend, you will see that link to files will be /Admin/Public/DWSDownload.aspx?File=*** - and now permissions will be handled.

I know this seems really complicated, and it is, but it has something to do with how IIS works (worked) and what we can check from our code when downloading files directly.

Hope this clarifies a bit.

BR Nicolai

Votes for this answer: 1

Mikkel Ulstrup

Posted on 19/12/2017 23:29:51

Hi,

I am having trouble getting the frontend part to work.

Secure folder:

https://www.screencast.com/t/tw9pT1BLdwcf

https://www.screencast.com/t/xBELqIrPm9

Permissions:

https://www.screencast.com/t/zZjwvX0YSH

IIS:

https://www.screencast.com/t/f8yMDi5CRH2

I am using the "/Admin/Public/DWSDownload.aspx?File=" but ALL files get served. What am I missing?

Kind regards

Mikkel Ulstrup

Nicolai Pedersen

Posted on 20/12/2017 08:21:54

Hi Mikkel

Are you sure you are not logged into the backend while doing the test? Try an inkognito window...

BR Nicolai

Mikkel Ulstrup

Posted on 20/12/2017 10:16:15

I use two different browsers for frontend and backend. I also tried the inkognito...

So, the settings are correct?

Edit: filetypes like .config does not get served.

Nicolai Pedersen

Posted on 20/12/2017 10:44:31

Hi Mikkel

When testing on my local environment, I get an Access denied. See dump.

Try checking your /Globalsettings/System/Filesystem/FilesFolderName setting - it should say Files. Otherwise I need access to the server/iis/solution to debug your setup.

BR Nicolai

Mikkel Ulstrup

Posted on 20/12/2017 11:17:53

I get access denied if i use:

/Admin/Public/DWSDownload.aspx?file=Files/Files/Perfion/FileName.pdf

The file gets served if I use:

/Admin/Public/DWSDownload.aspx?file=Files\Perfion\FileName.pdf

And yes, I have checked that the file does not exist in the parent folder :)

Nicolai Pedersen

Posted on 20/12/2017 11:56:36

I see the same thing....!§#%&/()=

I've send this to QA for verification and possible fixing.

BR Nicolai

Oleg Rodionov

Posted on 21/12/2017 04:29:05

Hi all,

I was able to reproduce the issue as well - good catch! New TFS 43848 has been submitted against the bug, will be fixed on further hot fix/release.Thanks for observing.

BR, Oleg

Kristian Kirkholt

Posted on 16/01/2018 15:28:01

Hi Oleg

The problem regarding #43848 "Files can be got served in FM security folder" has now been resolved in Dynamicweb version 9.3.11

To upgrade please choose this version from backend or download from here:

http://doc.dynamicweb.com/releases-and-downloads/releases

Let me know if you need any more help regarding this

Kind Regards
Dynamicweb Support
Kristian Kirkholt

Mikkel Ulstrup

Posted on 19/01/2018 14:10:44

Hi,

I have downloaded the and installed 9.3.11. I get the following result:

On the protected folder: Set "All Allowed" on my protected folder.

When not logged in the DWSDownload.aspx file gets served with the content "access denied" - this should get a 404 og 401 or 403 instead.
When logged in with any user the files get served correctly

If I set the "Denied" permission on the protected folder and "Allowed" on a sub folder, the files in the allowed subfoilder does not get served.

Kind regards

Mikkel Ulstrup

Nicolai Pedersen

Posted on 19/01/2018 16:52:21

Hi Mikkel

I've asked QA to look into issue 2 if it is a bug or not.

Sorry about the inconvenience and have a nice weekend!

BR Nicolai

Nicolai Pedersen

Posted on 19/01/2018 16:52:39

Hi Mikkel

I've asked QA to look into issue 2 if it is a bug or not.

Sorry about the inconvenience and have a nice weekend!

BR Nicolai

Mikkel Ulstrup

Posted on 19/01/2018 23:43:50

I think I was too quick to post. Here is what I would expect:

1. All allowed on protected folder:

a. All files should be available for all users (even not logged in) - this is not the case.

b. No one should not get a 401, 403 or 404, and they should definitely not get served the DWSDownload.aspx as a downloadable document.

c. It should be possible to set permissions on subfolders, to deny access to multiple folders.

2. All denied on protected folder:

a. All files should return 401, 403 or 404 - The DWSDownload.aspx should not be served as a downloadable document.

b. It should be possible to allow permissions on subfolders.

Hope this makes sense!

Kind regards

Mikkel Ulstrup

Olga Shedko

Posted on 23/01/2018 06:47:35

Hello Mikkel,

New TFS 45082 has been created, thank you for observing.

Best regards,

Olga

Nicolai Pedersen

Posted on 23/01/2018 08:58:04

Hi Mikkel

Just a heads up - we are still discussing your point 2. It has to work like the content tree, and we might not be able to change this if it is not broken behavior. If it has worked differently in the past, it will have to continue to be the same...

Also note that you will get a new permission model in 9.4 next week.

BR Nicolai

Mikkel Ulstrup

Posted on 23/01/2018 09:01:53

Thank you for your response!

When is TFS 45082 due?

Kind regards

Mikkel Ulstrup

Nicolai Pedersen

Posted on 23/01/2018 13:44:35

Hotfixes are on Tuesdays, so if all is taken in as a bug, it should be ready for you next Tuesday.

Nicolai Pedersen

Posted on 24/01/2018 09:41:32

Hi Mikkel

We looked into this again, and it works as designed and the same way as the content tree - also this is in production on solutions as is, so changing how this work is not an option for the time being. So you would have to structure your folders differently to accomplish what you want.

We still have an item on chaning the response from 200 to a 403.

BR Nicolai

Mikkel Ulstrup

Posted on 25/01/2018 14:00:22

Hi Nicolai,

That is understandable. I can make the structure work by reordering the folders.

Do you have an example of how to check if a user has right to access a folder?

The functionality is needed in a product extender.

Kind regards

Mikkel Ulstrup

Nicolai Pedersen

Posted on 25/01/2018 16:13:26

Hi Mikkel

This is how dwsdownload does it:

string file = "/Files/Files/SecureFolder/SubFolder/File.txt";
LoginHandler loginHandler = new LoginHandler();
bool folderAccess = loginHandler.CheckSecureFolderAccess(Server.MapPath(file));

BR Nicolai

You must be logged in to post in the forum

Developer forum

Can access files, though I'm not supposed to have permission to do so

Replies