Checking for folder permissions in C#

I just spent 3 hours writing a simple method to check if the user running my app has write access permissions on a folder. Definitely cracked a beer into the 3rd hour.

It was harder than I thought. I first found a simple, clean example on Stackoverflow and tried that:

public bool CheckFolderPermissions(string folderPath)
{
    var permissionSet = new PermissionSet(PermissionState.None);
    var writePermission = new FileIOPermission(FileIOPermissionAccess.Write, folderPath);
    permissionSet.AddPermission(writePermission);

    if (permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
      return true;
    else
      return false;
}

Soon after writing this, I realized I needed to test it somehow. I ended up creating a new user on my dev server with only write privileges on the target folder. I Shift-right-clicked on my executable, ran as this new user, and then attached to that process in Visual Studio. Then I dealt with a mysterious error for a while, which ended up being this new user not having access to SQL Server. Hopefully you won’t get that.

The nice little method above didn’t work. I feel like I don’t fully understand AppDomains–maybe running as a different user is not enough to shift the properties of AppDomain.CurrentDomain.

So I tried another longer method (“diesel” as we would say here in NYC):

public bool CheckFolderPermissions(string folderPath)
{
     WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
     var domainAndUser = currentUser.Name;
     DirectoryInfo dirInfo = new DirectoryInfo(folderPath);
     DirectorySecurity dirAC = dirInfo.GetAccessControl(AccessControlSections.All);
     AuthorizationRuleCollection rules = dirAC.GetAccessRules(true, true, typeof(NTAccount));

     foreach (AuthorizationRule rule in rules)
     {
         if (rule.IdentityReference.Value.Equals(domainAndUser, StringComparison.CurrentCultureIgnoreCase))
         {
             if ((((FileSystemAccessRule)rule).FileSystemRights & FileSystemRights.WriteData) > 0)
             return true;
         }
      }
return false;
}

This method did a great job of determining the permissions of the folder against the current user if the user has write privileges already. If not, then dirInfo.GetAccessControl bombs, obviously, because if you can’t write to a folder, you can’t comprehensively read its privileges (most of the time).

But, this lead me to the correct solution. A simple try/catch, looking for GetAccessControl to bomb:

 public bool CheckFolderPermission(string folderPath)
 {
    DirectoryInfo dirInfo = new DirectoryInfo(folderPath);
    try
    {
         DirectorySecurity dirAC = dirInfo.GetAccessControl(AccessControlSections.All);
         return true;
    }
    catch (PrivilegeNotHeldException)
    {
        return false;
    }
 }
Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: