p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

aspdotnet_website_programming thread: FileManager Download.aspx missing security


Message #1 by "Claude Wynne" <claudew@i...> on Wed, 19 Feb 2003 12:23:00 -0800
I've added the following to the Page_Load method in my download.aspx.cs
class in the FileManager module:

			// do not allow user to manage files if the user
is not authenticated
			// or does not have the proper permission
			bool canAdministerFiles 
(Context.User.Identity.IsAuthenticated && 
				(Context.User is SitePrincipal) &&
	
((SitePrincipal)Context.User).HasPermission((int)FileManagerPermissions.
AdministerFiles));

			if(!canAdministerFiles)
			{
				// if not, redirect to the Login page
	
Response.Redirect("/Modules/Users/Login.aspx?ShowError=true", true);
			}



-----------------------------------------

Without this, anyone could enter something like the following :
http://localhost/thephile/Modules/FileManager/Download.aspx?Web.config.

Anyone who has read this book and recognized that your site was based on
it would know about the existence of this file.


			




  Return to Index