Reputation: 9621
I have a website where I also have a "UserFiles" directory which is protected to view its content in browser:
This Virtual Directory does not allow contents to be listed.
The problem is that I have some files here which, if you know the name of the file, for instance:
http://example.com/UserFiles/file.ppt
you can download it.
Is there any way to protect this also from web.config? Or, if the user tries to access this, to do a redirect to the login page?
Please note that I do not use Forms authentication but a custom login and Windows authentication is On.
Thanks,
UPDATE: I will try this for the moment: http://www.dotnetcurry.com/ShowArticle.aspx?ID=270
Upvotes: 4
Views: 2942
Reputation: 4389
If you still want to do this via web.config
, your web.config
file should have this under the httpHandlers
section:
<system.web>
<httpHandlers>
<add verb="*" path="*.ppt" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>
</system.web>
That will block all .ppt files.
Upvotes: 2
Reputation: 32575
When someone needs to download one of those files, do you just redirect them to a URL similar to the one you gave there?
The alternative would be to have a page defined that returns the file, which you can then put whatever permission checks you want in. Using this method also allows you to move that User folder entirely outside of the web folder, so those URLs aren't available at all.
eg:
C:\UserFiles\
C:\inetpub\MyWebFolder\
You just have to make sure that the user account that the web application is running under has appropriate permissions on the C:\UserFiles\ folder.
Upvotes: 0