Stop document downloads from unauthorised users
I have an application where the admin user can create users and upload documents to the server for the created user to download.
When uploading a file it creates a folder using the userid as the folder name and saves in that folder within a folder called documents e.g. ~documents/77b29079-43d6-4520-bc34-77ae2af1b131/documentname.xls
The client then has to login and will see a list of available do开发者_运维知识库cuments for that user only. The only problem is that if someone was to get hold of one of the urls to a document is can be downloaded without having to login.
Is there something I can do to stop access to these files?? I have tried editing the web.config file to only allow access to certain roles but i could still download a document without logging in.
<location path="documents">
<system.web>
<authorization>
<allow roles="Admin, Client"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Thanks for your help. J.
The link provided by @rlb.usa in the comments has two good methods. Another alternative is storing the documents in a database and using application code or database security to determine who has access to what. That of course, comes with a different set of problems and advantages. If you are using SQL Server, this hits on some of the pros and cons.
精彩评论