DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

How to handle Upload permissions?

How to handle Upload permissions?

HPBHPB Posts: 73Questions: 2Answers: 18
in Free community support

My setup:
I'm using an asp.net mvc 5 backend, where I wrote my own implementation of handling the datatables communication. My data comes from an ERP system on a SQL database. Retrieving the data over numerous tables can get a little tricky, and I rather write my own queries and do my own validation than trying to figure out how to accomplish that with the datatables .Net library.
Everything works as expected, and I'm able to store uploaded files (created by editor fields) on a separate file server, and serve them to a user on different pages. A simple request to an image would be /File/4 to get File/Image with id 4.
I also impelemented my own cleanup routine.

At this point I'm storing [ID], [filename], [filesize] and [MimeType]

What I would like to accomplish is some sort of permission system added to that.
For instance, some users would be able to update/delete images from a certain area of the web application. Some users should only be able to read from a certain area and only be able to update/delete images that they uploaded themself.
Some users should not be allowed to view any image from a certain area. Etc

Right now, every user that accesses File/{id} would just see the File/Image of the id entered.
I'm unable to think of something clever myself and I can't find any information about best practices online either.

Hopefully someone can push me in the right direction.

Replies

  • allanallan Posts: 63,893Questions: 1Answers: 10,531 Site admin

    Hi,

    For the write access, you could basically use a validator. If the user doesn't have access to upload the file, return an error.

    That's the easy part - the read, unusually, is a little more complicated. What you would need to do is have a proxy script - so instead of having the browser request File/1 it would in fact request imageProxy?file=File/1 (or something like that). The imageProxy could then do whatever validation is required. If the validation of the user passes, it would read the contents of the file and just stream them back (i.e. it would look like an image is being returned - remember to set the content-type header).

    Does that make sense?

    Allan

  • HPBHPB Posts: 73Questions: 2Answers: 18

    @allan
    It does make sense, and except for the validation it is what I have already.
    File/4 routes to the File action with parameter id = 4 in MVC. that action method is the proxy where the validation would happen. It already serves a stream back to the user.

    What I'm struggling with is what my database structure should be like, so i can have 1 action method that handles cross-area validation over the files.
    It would be fields like owner and area, and a seperate table for permissions. I just can't figure out what a good structure should look like.

    I know this is not anything datatables related, but perhaps someone has encountered a situation like this before and can help me in the right direction.

  • allanallan Posts: 63,893Questions: 1Answers: 10,531 Site admin

    I fear that's beyond my area of expertise. It might be worth having a look at Access Control Lists (ACLs) and seeing if there is one for .NET that would suit your needs.

    Allan

This discussion has been closed.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.