阻止未经授权的用户下载文档
我有一个应用程序,管理员用户可以在其中创建用户并将文档上传到服务器以供创建的用户下载。
上传文件时,它使用用户 ID 作为文件夹名称创建一个文件夹,并将其保存在名为文档的文件夹中,例如 ~documents/77b29079-43d6-4520-bc34-77ae2af1b131/documentname.xls
然后客户端必须登录并会仅查看该用户的可用文档列表。唯一的问题是,如果有人获得某个文档的 URL,则无需登录即可下载。
我可以做些什么来停止访问这些文件吗?我尝试编辑 web.config 文件以仅允许访问某些角色,但我仍然可以在不登录的情况下下载文档。
<location path="documents">
<system.web>
<authorization>
<allow roles="Admin, Client"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
感谢您的帮助。 J。
I have an application where the admin user can create users and upload documents to the server for the created user to download.
When uploading a file it creates a folder using the userid as the folder name and saves in that folder within a folder called documents e.g. ~documents/77b29079-43d6-4520-bc34-77ae2af1b131/documentname.xls
The client then has to login and will see a list of available documents for that user only. The only problem is that if someone was to get hold of one of the urls to a document is can be downloaded without having to login.
Is there something I can do to stop access to these files?? I have tried editing the web.config file to only allow access to certain roles but i could still download a document without logging in.
<location path="documents">
<system.web>
<authorization>
<allow roles="Admin, Client"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Thanks for your help. J.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
评论中@rlb.usa提供的链接有两个很好的方法。另一种选择是将文档存储在数据库中,并使用应用程序代码或数据库安全性来确定谁有权访问什么。当然,这会带来一系列不同的问题和优点。如果您使用的是 SQL Server,这有一些优点和缺点。
The link provided by @rlb.usa in the comments has two good methods. Another alternative is storing the documents in a database and using application code or database security to determine who has access to what. That of course, comes with a different set of problems and advantages. If you are using SQL Server, this hits on some of the pros and cons.