locked
Prevent users from directly accessing files inside our asp.net MVC core web application RRS feed

  • Question

  • User-540818677 posted

    I have 2 excel sheets inside my Asp.net core MVC web application under a folder named "Files" as follow:-

    enter image description here

    Where i am referencing these files inside my TextFieldParser method as follow:-

    public class HomeController : Controller
    {
        protected IWebHostEnvironment _host; // using Microsoft.AspNetCore.Hosting
    
        public HomeController(IWebHostEnvironment webHostEnvironment)
        {
            _host = webHostEnvironment;
        }
    
        public IActionResult Index()
        {
            string YOURCURRENTFILE = _host.ContentRootPath + @"/Files/v2.csv";
    using (TextFieldParser parser = new TextFieldParser(YOURCURRENTFILE ))
    { // USE YOUR TextFieldParser logic } }

    inside my startup.cs i have the following app.UseStaticFiles(); as follow:-

     public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
            {
                if (env.IsDevelopment())
                {
    
                }
                else
                {
    
                app.UseStaticFiles();

    so in my case can users directly access the files? or they can only access them through my action methods?

    Thursday, June 4, 2020 9:26 PM

All replies

  • User-474980206 posted

    not by default. the static file handler only looks in wwwroot. I don't think the files will be included in the deploy by default. the data folder was setup for data files to be deployed.

    Thursday, June 4, 2020 10:10 PM
  • User-540818677 posted

    not by default. the static file handler only looks in wwwroot. I don't think the files will be included in the deploy by default. the data folder was setup for data files to be deployed.

    can you please explain what do you mean by "I don't think the files will be included in the deploy by default" ?

    Thursday, June 4, 2020 10:17 PM
  • User2078676645 posted

    Hi,

    Files in static folders are public by default. I suggest you put the Files folder in another directory,access by absolut path, then customize an action filter to determine if this file is accessible and parse the file.

    Regards,

    Evern 

    Friday, June 5, 2020 1:43 AM
  • User711641945 posted

    Hi johnjohn123123,

    >so in my case can users directly access the files? or they can only access them through my action methods?

    If you do not configure like below,nobody could directly access the files in /Files folder and only could access them through the action:

    app.UseStaticFiles();
    app.UseStaticFiles(new StaticFileOptions
    {
          FileProvider = new PhysicalFileProvider(
          Path.Combine(Directory.GetCurrentDirectory(), "Files")),
          RequestPath = "/Files"
    });

    Best Regards,

    Rena

    Friday, June 5, 2020 7:03 AM
  • User-540818677 posted

    Hi johnjohn123123,

    >so in my case can users directly access the files? or they can only access them through my action methods?

    If you do not configure like below,nobody could directly access the files in /Files folder and only could access them through the action:

    app.UseStaticFiles();
    app.UseStaticFiles(new StaticFileOptions
    {
          FileProvider = new PhysicalFileProvider(
          Path.Combine(Directory.GetCurrentDirectory(), "Files")),
          RequestPath = "/Files"
    });

    Best Regards,

    Rena

    thanks for the reply, so in my case the files are not accessible by users, and will only be accessible inside my code? is this correct?

    Friday, June 5, 2020 9:04 AM
  • User503812343 posted
    app.Map("/Files", subApp => {
        subApp.Use(async (context, next) =>
        {        
            if(context.Request.Path.StartsWithSegments("/Files") && !context.User.Identity.IsAuthenticated)
            {
                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
            }
        });
    });
    
    app.UseStaticFiles();

    This code will allow only authenticated users to access Files folder. Notice this code needs to be before "app.USeStaticFiles"

    Friday, June 5, 2020 1:45 PM
  • User-540818677 posted

    app.Map("/Files", subApp => {
        subApp.Use(async (context, next) =>
        {        
            if(context.Request.Path.StartsWithSegments("/Files") && !context.User.Identity.IsAuthenticated)
            {
                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
            }
        });
    });
    
    app.UseStaticFiles();

    This code will allow only authenticated users to access Files folder. Notice this code needs to be before "app.USeStaticFiles"

    and without this code, they will not be able to access the files. which i am looking for? is this correct?

    Thanks

    Friday, June 5, 2020 2:01 PM
  • User503812343 posted

    what is the purpose of keeping files there?

    check this to deny access to all users/ browser requests but allow the only application to access it. - https://ngohungphuc.wordpress.com/2018/07/13/prevent-access-to-static-folder-using-asp-net-core-middleware/

    Friday, June 5, 2020 4:20 PM
  • User-540818677 posted

    what is the purpose of keeping files there?

    check this to deny access to all users/ browser requests but allow the only application to access it. - https://ngohungphuc.wordpress.com/2018/07/13/prevent-access-to-static-folder-using-asp-net-core-middleware/

    i am keeping the files there as i have an actiob method which will read the .csv files and update the database, so i want my application to read the files, but do not want users to be able to read them... so am i having this by default based on my above settings?

    Friday, June 5, 2020 4:31 PM
  • User711641945 posted

    Hi johnjohn123123,

    thanks for the reply, so in my case the files are not accessible by users, and will only be accessible inside my code? is this correct?

    That's it.You are right.

    Best Regards,

    Rena

    Wednesday, June 17, 2020 8:17 AM