H
harbonne nathalie
Guest
Hi,
Here is the code to test if a user has the modify right on a folder.
We will consider two users :
AUTORITE NT\Authenticated users
AUTORITE NT\Système (in french)
If i have a look at the security tab on the properties graphic interface of this folder i can see
that for theses two accounts theses permissions appear clearly checked in gray color and not in black color
1-Modify
2-ReadAndExecute
3-Affichage du contenu du dossier(in french because i don't know in english)
4-Read
5-Write
However, if i consider the AUTORITE NT\Authenticated users account , this function returns that it has the modify right whereas for the AUTORITE NT\Système account which the PropagationFlags value==PropagationFlags.InheritOnly, it returns that it has not the modify right (whereas on the graphic interface i see the contrary) .
Can you explain to me why for the AUTORITE NT\Système account this function does not return that this account has the modify right on a folder.
Thanks a lot for your answer because it makes a long time i search on this point.
Best regards.
Nathalie Harbonne
public bool CheckRightsUser(string user, string directory)
{
if (user == null) throw new ArgumentNullException("Le user en paramètre ne peut pas être null");
if (directory == null) throw new ArgumentNullException("Le chemin du répertoire en paramètre ne peut pas être null");
rightsValues = new List<int>();
modifyRightValueExpected = new List<int>()
{197055};
modifyRightsValuesExpected = new List<int>()
{278,65536,131241};
rightsValuesExpected_2 = new List<int>()
{32,131209};
rightsValuesExpected_3 = new List<int>()
{1,2,4,8,16,32,128,256,131209,131072};
bool result = false;
System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(directory);
var acl = di.GetAccessControl().GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast<FileSystemAccessRule>().Where(rule => rule.IdentityReference.Value.Equals(user) && !rule.FileSystemRights.ToString().Equals("FullControl")).ToList();
//var acl = di.GetAccessControl().GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast<FileSystemAccessRule>().Where(rule => !rule.FileSystemRights.ToString().Equals("FullControl")).ToList();
foreach (FileSystemAccessRule ace in acl)
{
//si ace.PropagationFlags == PropagationFlags.InheritOnly=>les valeurs de FileSystemRights sont numériques et aucun droit n'est accordé
if (ace.PropagationFlags != PropagationFlags.InheritOnly)
{
foreach (var right in Enum.GetNames(typeof(FileSystemRights)))
{
//la conversion de right en un objet de type FileSystemRights peut renvoyer, pour deux valeurs différentes de right,
//la même valeur de rightEnum (ex : rightEnum vaut ListDirectory pour right == ListDirectory et pour right == ReadData),
//La valeur de rightEnum renvoyée correspond au droit d'accès de niveau repertoire, supérieur à celui de niveau fichier (ex: ListDirectory : droit de niveau repertoire - ReadData :droit de niveau fichier de ce repertoire)
//=> si un user possède le droit d'accès de niveau repertoire => il possède le droit d'accès de niveau fichier
var rightEnum = (FileSystemRights)Enum.Parse(typeof(FileSystemRights), right);
//si le FileSystemRight de type Flag contient la valeur rightEnum
if ((ace.FileSystemRights & rightEnum) == rightEnum)
{
int rightValue = (int)rightEnum;
rightsValues.Add(rightValue);
Console.WriteLine("\t Account: {0} has access {1} ({2})", ace.IdentityReference.Value, right, ace.FileSystemRights);
Console.WriteLine("la valeur numerique du droit est " + rightValue);
}
//else
//{
// Console.WriteLine("\t Account: {0} has not access {1} ({2})", ace.IdentityReference.Value, right, ace.FileSystemRights);
//}
}
result = ContainsModify(rightsValues, modifyRightValueExpected);
//bool result_2 = ContainsAllItems(modifyRightsValuesExpected, rightsValues);
//IEnumerable<int> expectedRights = retrieveNotExistingExpectedRights(modifyRightsValuesExpected, rightsValues);
Console.WriteLine();
}
}
return result;
}
public static bool ContainsModify<T>(IEnumerable<T> source, IEnumerable<T> values)
{
return values.All(value => source.Contains(value));
}
developement
Continue reading...
Here is the code to test if a user has the modify right on a folder.
We will consider two users :
AUTORITE NT\Authenticated users
AUTORITE NT\Système (in french)
If i have a look at the security tab on the properties graphic interface of this folder i can see
that for theses two accounts theses permissions appear clearly checked in gray color and not in black color
1-Modify
2-ReadAndExecute
3-Affichage du contenu du dossier(in french because i don't know in english)
4-Read
5-Write
However, if i consider the AUTORITE NT\Authenticated users account , this function returns that it has the modify right whereas for the AUTORITE NT\Système account which the PropagationFlags value==PropagationFlags.InheritOnly, it returns that it has not the modify right (whereas on the graphic interface i see the contrary) .
Can you explain to me why for the AUTORITE NT\Système account this function does not return that this account has the modify right on a folder.
Thanks a lot for your answer because it makes a long time i search on this point.
Best regards.
Nathalie Harbonne
public bool CheckRightsUser(string user, string directory)
{
if (user == null) throw new ArgumentNullException("Le user en paramètre ne peut pas être null");
if (directory == null) throw new ArgumentNullException("Le chemin du répertoire en paramètre ne peut pas être null");
rightsValues = new List<int>();
modifyRightValueExpected = new List<int>()
{197055};
modifyRightsValuesExpected = new List<int>()
{278,65536,131241};
rightsValuesExpected_2 = new List<int>()
{32,131209};
rightsValuesExpected_3 = new List<int>()
{1,2,4,8,16,32,128,256,131209,131072};
bool result = false;
System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(directory);
var acl = di.GetAccessControl().GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast<FileSystemAccessRule>().Where(rule => rule.IdentityReference.Value.Equals(user) && !rule.FileSystemRights.ToString().Equals("FullControl")).ToList();
//var acl = di.GetAccessControl().GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast<FileSystemAccessRule>().Where(rule => !rule.FileSystemRights.ToString().Equals("FullControl")).ToList();
foreach (FileSystemAccessRule ace in acl)
{
//si ace.PropagationFlags == PropagationFlags.InheritOnly=>les valeurs de FileSystemRights sont numériques et aucun droit n'est accordé
if (ace.PropagationFlags != PropagationFlags.InheritOnly)
{
foreach (var right in Enum.GetNames(typeof(FileSystemRights)))
{
//la conversion de right en un objet de type FileSystemRights peut renvoyer, pour deux valeurs différentes de right,
//la même valeur de rightEnum (ex : rightEnum vaut ListDirectory pour right == ListDirectory et pour right == ReadData),
//La valeur de rightEnum renvoyée correspond au droit d'accès de niveau repertoire, supérieur à celui de niveau fichier (ex: ListDirectory : droit de niveau repertoire - ReadData :droit de niveau fichier de ce repertoire)
//=> si un user possède le droit d'accès de niveau repertoire => il possède le droit d'accès de niveau fichier
var rightEnum = (FileSystemRights)Enum.Parse(typeof(FileSystemRights), right);
//si le FileSystemRight de type Flag contient la valeur rightEnum
if ((ace.FileSystemRights & rightEnum) == rightEnum)
{
int rightValue = (int)rightEnum;
rightsValues.Add(rightValue);
Console.WriteLine("\t Account: {0} has access {1} ({2})", ace.IdentityReference.Value, right, ace.FileSystemRights);
Console.WriteLine("la valeur numerique du droit est " + rightValue);
}
//else
//{
// Console.WriteLine("\t Account: {0} has not access {1} ({2})", ace.IdentityReference.Value, right, ace.FileSystemRights);
//}
}
result = ContainsModify(rightsValues, modifyRightValueExpected);
//bool result_2 = ContainsAllItems(modifyRightsValuesExpected, rightsValues);
//IEnumerable<int> expectedRights = retrieveNotExistingExpectedRights(modifyRightsValuesExpected, rightsValues);
Console.WriteLine();
}
}
return result;
}
public static bool ContainsModify<T>(IEnumerable<T> source, IEnumerable<T> values)
{
return values.All(value => source.Contains(value));
}
developement
Continue reading...