views:

198

answers:

3

I've been testing my application to see how well it works when run by a non-administrative user, and I have found problems with file handling. I am getting an UnauthorizedAccessException when trying to overwrite a file, if the file was created by and adminstrative user.

When writing out the file I first create the file as a .tmp file, then use File.Copy to overwrite the original. The .tmp file gets created, but File.Copy fails. My files are written to a public directory ("C:\Documents and Settings\All Users\Application Data" in XP).

What can I do so that all users can have full control of the application files?

I've found this:

        System.Security.AccessControl.DirectorySecurity sec =  
                                System.IO.Directory.GetAccessControl ( directory );  
        FileSystemAccessRule accRule = new FileSystemAccessRule ( Globals.userIdentity,  
             FileSystemRights.FullControl, AccessControlType.Allow );  
        sec.AddAccessRule ( accRule );

Will doing the above to the directory that all the files are located in solve this problem? Or will I have to do something to each file? If so what is that something?

Edit:

Non-admin users cannot modify files created by an admin user. This is not good. I need for all files to be editable by all users. Is there not some sort of permissions that can be set when the file is originally created that will grant this?

+1  A: 

This code would give the user full access rights to the folder, however, this might fail on security again.

The best way to make sure your application can always store information is trough the IsolatedStorage. However if you need access to your files outside your application then this is not the best solution.

Jonathan van de Veen
Some file may require access from outside the application. Since this is the case, what should I do?
Dan Vogel
You could try and go with the users own Application Data folder. By default they should have access to that without being an admin.You can get that path for a user with Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)This does mean that application data is not shared between users.HTH.
Jonathan van de Veen
The application data needs to be shared for all users. That's why I am using the All Users\Application Data directory. Its just that the files created when logged in as an admin user cannot be modified by non-admin users.
Dan Vogel
In that case, the above code you've written should work whenever you're logged in as an admin. You should detect if you have rights to do this first.
Jonathan van de Veen
Admin users are not the problem. The problem is that non-admin users cannot modify files created by an admin user.
Dan Vogel
Which is exactly my point. To make sure your other users have access to the admins files is by having the admin automatically give the other users access as files are created by the admin. So whenever you have rights to change the ACL, give access to everyone.
Jonathan van de Veen
+1  A: 

I just checked the permissions on the All Users\Application Data directory. The "Users" and "Power Users" ACLs do not have the "Delete Subfolders and Files" permission.

They can delete their own files because the "CREATOR OWNER" ACL has Full Control.

As for how to get around this, you could give everyone all access, but a better idea would be to grant the "Users" & "Power Users" ACLs the "Delete Subfolders and Files" permission on your app's appdata directory.

Alternately, you could assign the "Delete" and "Modify" permissions on the file itself for "Users" and "Power Users" when it's created.

R. Bemrose
+1  A: 

How about if you use similar code to give everyone full access to the file after it has been created ? If I understand you correctly the files will always be created with your application, right ? Then the user that creates the file in the first place will also have rights to adjust security settings for the file. Then it's just a question of setting public rights to the file once it is created and all users are able to replace the file later on.

sindre j
This is what I've done, but gave the answer credits to R. Bemrose since it was with his answer that I came to the solution. Thanks though.
Dan Vogel