While I fail to see why you need full control, the way to test your
privileges is by using the System.Security.AccessControl namespace classes.
Willy.
Which classes specifically? Do I need to call "Directory.GetAccessControl"
and then iterate through the "AccessRules" or is there a function I can call
to check for "Read, Write and Append" access on a directory. Thanks
Fred
Following sample enumerates the ACE collection of a Directory object and
prints the FileSystemRights for the administrators group.
NTAccount acc = new NTAccount("administrators");
SecurityIdentifier secId = acc.Translate(typeof(SecurityIdentifier))
as SecurityIdentifier;
DirectoryInfo dInfo = new DirectoryInfo("c:\\");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = dSecurity.GetAccessRules(
true,
true,
typeof(SecurityIdentifier) );
foreach(FileSystemAccessRule ar in rules)
{
if(secId.CompareTo(ar.IdentityReference as SecurityIdentifier) == 0)
Console.WriteLine(ar.FileSystemRights);
}
Hope it helps.
Willy.
This just seems like a lot of work for something windows does for you when
you try to create, delete, modify files and folders. I can't help but think
there must be a better solution. I basically want the Effective Permissions
tab in Windows Explorer Properties. I've run across references to an
"AccessCheck" function (for Win32), but I have yet find anything
specifically for .NET. I suppose I could wrap the Win32 dlls, but I'm still
holding out for a .NET solution. Another solution I've been considering is
just creating a temporary files and folder in the folders I want to check
and catch exceptions to determine what's allow when I try to manipulate. Of
course I could end up littering files if I can't delete them.
Any additional comments are appreciated. Thank you.
-Fred
"Willy Denoyette [MVP]" <willy.d...@telenet.be> wrote in message
news:eKAaQa32...@TK2MSFTNGP02.phx.gbl...
That's right, you need to do exactly as the OS (the FileSystem in case of
File or Directory) does when accessing the object.
| My understanding is that explicit rules take precedence over inherited
rules
| (can I tell the difference?).
Yes, they do.
Sure, take a look at the IsInherited propery.
Also, denied take precedence over allowed. Do
| I just assume owners have full control?
|
Denied take precedence.
Owners have it by default, but this can be changed.
| This just seems like a lot of work for something windows does for you when
| you try to create, delete, modify files and folders.
Yes, object access and security checking is hard in Windows, and that
doesn't change with .NET, really. And it's something you should never do
from end-user code, the security API's are mainly meant to be used from
management and security editing applications, not really from user
applications that want to perform access checks.
All you should do from user code is try to open the object, the OS will
perform the required access checks, if it fails you will get a security
exception, if it succeeds you are done. Failures should be really
exceptional when administrator have done their job, most of the time they
point to illegal access.
I can't help but think
| there must be a better solution. I basically want the Effective
Permissions
| tab in Windows Explorer Properties.
What exactly do you mean by this? Do you want to display the same dialog as
the security editor from your code, or do you want to get the same
information? Quite a different task really. You won't find anything simpler,
really.
I've run across references to an
| "AccessCheck" function (for Win32), but I have yet find anything
| specifically for .NET.
AccessCheck is a complex function, before you can call it you need to fetch
a security descriptor, an access token, you need to construct a generic mask
and you need to check the out parameters when done, and don't forget to
check the return code and call SetLastError when anything fails. The lines
of code will largely exceed the pure managed solution (not to mention it's
error prone).
I suppose I could wrap the Win32 dlls, but I'm still
| holding out for a .NET solution. Another solution I've been considering is
| just creating a temporary files and folder in the folders I want to check
| and catch exceptions to determine what's allow when I try to manipulate.
Of
| course I could end up littering files if I can't delete them.
| Any additional comments are appreciated. Thank you.
You don't need to do this, if your Folder and it's inheritance chain is
set-up correctly for the application at hand.
Willy.
I will probably proceed with the 'Access Rules Walk' approach, unless anyone
is aware of any 3rd party code that performs this for .Net 2.0 already. I
will avoid the dll wrapper of 'AccessCheck".
Thanks again for your help.
- Fred
"Willy Denoyette [MVP]" <willy.d...@telenet.be> wrote in message
news:eUcQXkB3...@TK2MSFTNGP05.phx.gbl...