Need help fixing File Delete permission issues! (I'm loosing my hair!)

D

darrel

I know I'm sounding like a broken record. I already asked this question last
week.

Alas, this question seems to be getting very few responses no matter how I
word it or where I post it. Apparently, this is a rather rare occurance (or
maybe people just don't like me...both pluasible theories... ;o)

So, anyways, I'll post it in here one last time as a hail marry...

I'm building an application that can manage some images that are uploaded.
You can upload them, save them, and delete them.

I'm having problems with the delete portion. My directory structure is such:

approot (folder)
images (folder)
deleteTest (aspx page)
admin (forms authenticated folder)
delete (aspx page)

both 'delete' and 'deleteTest' pages in my sample above use the exact same
syntax to delete a file within the images folder.

'deleteTest' does it just fine. 'delete' on the other hand, prompts me for a
username/password then tells me permission is denied on the /images folder.

On both pages, I'm writing out the user information. BOTH pages return the
exact same information:

Page.User.Identity.Name: testlogin
System.Security.Principal.WindowsIdentity.GetCurrent().Name:
WIN17\abernath
System.Threading.Thread.CurrentPrincipal.Identity.Name: testlogin

'testlogin' is blank on the 'deleteTest' page if I haven't yet logged in.
Either way, though, that page can delete files just fine.

So, I'm stumped. It appears both threads are running as the same user, but
if I run the function from within my authenticated error, I'm denied access.

My web host claims all appropriate permissions are set.

Some theories I've gotten from others:

- I need to impersonate (though impersonate what? ASPNET?)
- I need to allow the server to grant permission to authetnicated users
(can I do that via my app, or would that be something the web
host always has to set up manually?)
- ???

I'm at the point where I'm just going to do a really hacky workaround:

I'll have a 'deleteConfirm' page OUTSIDE my authenticated folder. From
within my authenticated folder, when someone clicks DELETE, the image
information to delete will be saved in a DB table, then the page will
redirect to the 'deleteConfirm' page which will then look into that same
table and if it sees any data, will grab it, delete the images, then delete
the data. Seems OK, but, obviously, an insane workaround. ;o)

Is there anyone with IIS/asp.net/permission experience that could shed some
light on this problem for me?

Thanks!
 
D

darrel

Alternatively, anyone recommend any other places to ask a question like
this? I've had zero luck getting a response to this one particular question
in here so I assume this might be a niche issue best served by some security
or IIS forum/newsgroup?

-Darrel
 
D

Darrel

You might want to try posting in the Security Forum at www.asp.net :

Thanks. Alas, I've tried that as well with no real responses either. The two
theories that came from there are:

- the authetnicated user doesn't have IIS permissions
- I need to impersonate

If the first is true, that's a big problem, as I don't want people to have
to deal with their web host every time they add a new user to the system
that needs IIS permissions as well.

If the second is true, no one has been able to explain how I'd do that.
Sounds like I'd need to impersonate the default ASPNET user, which seems
backwords from what impersonation actually is (to NOT run as the default
ASPNET user.)

-Darrel
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top