Prevent users from directly accessing files inside our asp.net MVC core web application

Question

User-540818677 posted

I have 2 excel sheets inside my Asp.net core MVC web application under a folder named "Files" as follow:-

Where i am referencing these files inside my TextFieldParser method as follow:-

public class HomeController : Controller
{
    protected IWebHostEnvironment _host; // using Microsoft.AspNetCore.Hosting

    public HomeController(IWebHostEnvironment webHostEnvironment)
    {
        _host = webHostEnvironment;
    }

    public IActionResult Index()
    {
        string YOURCURRENTFILE = _host.ContentRootPath + @"/Files/v2.csv";
       using (TextFieldParser parser = new TextFieldParser(YOURCURRENTFILE ))
                {
        // USE YOUR TextFieldParser logic
    }
}

inside my startup.cs i have the following app.UseStaticFiles(); as follow:-

 public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {

            }
            else
            {

            app.UseStaticFiles();

so in my case can users directly access the files? or they can only access them through my action methods?

Answer 1

User-474980206 posted

not by default. the static file handler only looks in wwwroot. I don't think the files will be included in the deploy by default. the data folder was setup for data files to be deployed.

Answer 2

User-540818677 posted

not by default. the static file handler only looks in wwwroot. I don't think the files will be included in the deploy by default. the data folder was setup for data files to be deployed.

can you please explain what do you mean by "I don't think the files will be included in the deploy by default" ?

Answer 3

User2078676645 posted

Hi,

Files in static folders are public by default. I suggest you put the Files folder in another directory,access by absolut path, then customize an action filter to determine if this file is accessible and parse the file.

Regards,

Evern 

Answer 4

User711641945 posted

Hi johnjohn123123,

>so in my case can users directly access the files? or they can only access them through my action methods?

If you do not configure like below,nobody could directly access the files in /Files folder and only could access them through the action:

app.UseStaticFiles();
app.UseStaticFiles(new StaticFileOptions
{
      FileProvider = new PhysicalFileProvider(
      Path.Combine(Directory.GetCurrentDirectory(), "Files")),
      RequestPath = "/Files"
});

Best Regards,

Rena

Answer 5

User-540818677 posted

Hi johnjohn123123,

>so in my case can users directly access the files? or they can only access them through my action methods?

If you do not configure like below,nobody could directly access the files in /Files folder and only could access them through the action:

app.UseStaticFiles();
app.UseStaticFiles(new StaticFileOptions
{
      FileProvider = new PhysicalFileProvider(
      Path.Combine(Directory.GetCurrentDirectory(), "Files")),
      RequestPath = "/Files"
});

Best Regards,

Rena

thanks for the reply, so in my case the files are not accessible by users, and will only be accessible inside my code? is this correct?

Answer 6

User503812343 posted

app.Map("/Files", subApp => {
    subApp.Use(async (context, next) =>
    {        
        if(context.Request.Path.StartsWithSegments("/Files") && !context.User.Identity.IsAuthenticated)
        {
            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
        }
    });
});

app.UseStaticFiles();

This code will allow only authenticated users to access Files folder. Notice this code needs to be before "app.USeStaticFiles"

Answer 7

User-540818677 posted

app.Map("/Files", subApp => {
    subApp.Use(async (context, next) =>
    {        
        if(context.Request.Path.StartsWithSegments("/Files") && !context.User.Identity.IsAuthenticated)
        {
            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
        }
    });
});

app.UseStaticFiles();

This code will allow only authenticated users to access Files folder. Notice this code needs to be before "app.USeStaticFiles"

and without this code, they will not be able to access the files. which i am looking for? is this correct?

Thanks

Answer 8

User503812343 posted

what is the purpose of keeping files there?

check this to deny access to all users/ browser requests but allow the only application to access it. - https://ngohungphuc.wordpress.com/2018/07/13/prevent-access-to-static-folder-using-asp-net-core-middleware/

Answer 9

User-540818677 posted

what is the purpose of keeping files there?

check this to deny access to all users/ browser requests but allow the only application to access it. - https://ngohungphuc.wordpress.com/2018/07/13/prevent-access-to-static-folder-using-asp-net-core-middleware/

i am keeping the files there as i have an actiob method which will read the .csv files and update the database, so i want my application to read the files, but do not want users to be able to read them... so am i having this by default based on my above settings?

Answer 10

User711641945 posted

Hi johnjohn123123,

thanks for the reply, so in my case the files are not accessible by users, and will only be accessible inside my code? is this correct?

That's it.You are right.

Best Regards,

Rena