Limiting file download based on access level on asp.net

I have a web app made in asp.net mvc3. There is a facility to upload and download files using the application. Uploaded files will be stored in some folder under web root. I want allow downloading files to those who have access to the files only. No one should be able to download the file by directly past开发者_运维技巧ing in the file URL.

I use shared hosting with limited IIS access. So what would be the best way to achieve this?

How are you storing the data on the access rights currently? It sounds like you are not going to be able to make use of IIS to control access to your files and will have to handle it yourself.

As this is the case, rather than link to the file directly you should store the files outside of your web root and then handle requests coming in for files through ASP.NET MVC using a GET method. At that point you can check the user's credentials, and if they have access you can serve the file.

I'm not too familiar with it, but it looks like ASP.NET MVC makes serving up files very easy with the ability to return a FileContentResult, supported by the Controller.File method (documentation here).

This blog post looks like a great start, and you would just need to insert your credential-checking logic into the Get method.