Last post Sep 26, 2013 03:43 PM by shabirhakim1
Sep 26, 2013 03:37 PM|davood|LINK
on local machine ,i created sample project on mvc4 (razor) and create directory named "x" and put a text file "a.txt" in it.
in my web config i deny all user to access to "x" folder by this config:
Now if user send this request :
it works and return user to URL that defined in forms tag in web config.
but when user send this request :
can read text file in browser(browser shows contents of text file).
i want to know how to deny user to access all files and subfolders in "x" folder?
Sep 26, 2013 03:43 PM|shabirhakim1|LINK
Sample scenario: I don't want anonymous users and users assigned to the "test" role to be able to access any files from the folder named "Protected" located in ~/Files. I want to ensure that even if they know the URL, they cannot view the file.
1. Add a web.config file to the folder in Files that you want to protect
In our example we have to place the web.config in \Sitefinity3.x\WebSites\<YourProject>\Files\Protected.
<deny roles="test" />
<deny users="?" />
2. Add application extension mappings
By default .NET does not protect non asp.NET files (.pdf, .htm, .doc, .ppt, .xls, etc.), so you need to create a custom mapping in IIS. To do this, open the web site or virtual directory properties in IIS and navigate to Configuration > Mappings > Add.
Add the following mapping record for each file type (extension) you want to protect, in the example below its for .pdf extension.
All Verbs (selected)
Script Engine (selected)
Verify/Check that file exists (selected)
3. Add httpHandlers to the application web.config
Open the \Sitefinity3.x\WebSites\<YourProject>\web.config file and add the following httpHandlers for the file types you want protected:
<add type="System.Web.StaticFileHandler" path="*.pdf" verb="*" validate="true" />
Now anyone trying to access the files in the protected folder will have to pass through authentication. If s/he belongs to the "test" role, they won't be able to see the file.