Last post Nov 21, 2013 11:55 PM by BadriL
Nov 20, 2013 09:31 AM|GIDLIBRARY|LINK
Suppose I have a folder called "MyVids" which contains videos. I want only certain people to see certain videos. Person A can see Videos 1,2,3, Person B can see Videos 5,6, etc.
In theory, I could use Membership and roles, and put different videos in different folders, each with its own web.config protecting its contents. However, the problem is that I can have 500+ viewers, each with different combinations of videos they can see.
I can't know in advance how many folders I'll need (in that scenario).
So ideally, there would be a dll or handler of some kind that gets between the video and the user, and which checks permissions, before allowing the video to play on the user's browser. Something like: "is
www.mysite.com/MyVids/GoneWithTheWind.mp4 accessible by John Smith"?
I don't think ashx handlers are the answer, because they are limited to a particular URL/querystring combination.
Is there a way to do this?
Nov 21, 2013 12:34 AM|Michelle Ge - MSFT|LINK
Based on my understanding, many users only can see the folderof themself.
As we will set a role to every user, if all the users with the same role can see the same folders, then we can add a folder named with the role. When a user want to see the videos, then we will check the role, we will calculate the file path, for example:
xxxxx/Role will the path.
If we group by the role and user, we calculate the file path with the role and user.
Hope it's useful for you.
Nov 21, 2013 07:36 AM|GIDLIBRARY|LINK
I don't think that will work. Suppose user "JohnSmith" has a folder called "folderJohnSmith". Then yes, I could put in a web.config file, that would protect that folder for him. But suppose my website has an unknown number of users, whose names I don't
know, and the site keeps adding new users every day,. In that case, I would have to be able to create folders (and web.config files) every day. I can't do that. I'm on a shared hosting server, and they won't let my code create new files and folders in
There has to be a non-folder based way of blocking access to files from unauthorized users. I don't want them to be able to download the video by typing in its URL, and I don't want them to go to a webpage where the video is embedded either.
(to make things more complicated, on my site, some users have "friends" who can access their videos, and the friends can be friends of more than one user)
I'm sure Microsoft has something that will do this, I just don't know what it is.
Nov 21, 2013 11:55 PM|BadriL|LINK
You can try using a custom HTTP handler. You can create a class that implements the IHttpHandler interface and authorize the user in the ProcessRequest method. Read the video and write the bytes off to the response. Of course, you will need to set the correct
content type. Or, use an HTTP module (I'm assuming you are using IIS 7+). If permission check is okay, HTTP module simply does nothing and let the request flows through. If not, it returns unauthorized or forbidden.