VB.NET Change File Level Permissions: Better to Ask for Forgiveness than Permission

VB.NET Change File Level Permissions: Better to Ask for Forgiveness than Permission

 

 

Introduction

Some people are thinking better to ask for forgiveness then permissions?

In the modern computing environment, file level permissions are important in operating systems. We do not interact with them directly in most instances in our normal everyday lives. Most of us can create an administrator account, yet know little to nothing about how we can limit a person?s specific permissions except for technical gurus, IT users, or power users. So, how can we limit a person's specific permissions depending on his account and privileges. I will explain how to change file level permissions below in VB.NET.

 


Requirements

  • Dotnet framework 4.5 or Above
  • Windows 7 Operating System or Above
  • Time: Takes about 30-45 minutes to code depending on the amount of permissions that are going to be added or removed from the file. However, your mileage may differ on how fast you complete this project.

 


Loading Users for a specific file 

Our first step in this tutorial is to load the users that have permissions for a specific file into a list box. In Figure 1,  As you can see the users with permissions to the file are retrieved and added to lstUsers. Example 1 below has users loaded into lstUsers to show which users it retrieved. Note: the users that are retrieved could vary depending on your system. Some test users where created and added to the file for demonstration purposes in this tutorial.

 

Figure 1: Retrieving users and adding to lstUsers list box.

Example 1: Users loaded into lstUsers list box.

Private Sub BtnBrowse_Click(sender As Object, e As EventArgs)H And les BtnBrowse.Click
 OpenFileDialog1.Title = "Get access control for file"
 OpenFileDialog1.Multiselect = False
 OpenFileDialog1.InitialDirectory = "C:\Users\Jeffery\Desktop"
 If OpenFileDialog1.ShowDialog = Windows.Forms.DialogResult.OK Then
  filename = OpenFileDialog1.FileName
  Dim fi As New FileInfo(OpenFileDialog1.FileName)
  Dim fs As New FileSecurity
  fs = fi.GetAccessControl
   
  Dim object1 As Type = Type.GetType("System.Security.Principal.NTAccount")
  
  For Each AuthRule As FileSystemAccessRule In fs.GetAccessRules(True, True, object1)
   lstUsers.Items.Add(AuthRule.IdentityReference.Value.ToString)
  Next
 End If
End Sub

 


Viewing Permissions for a specific user 

The second step in the tutorial is to view permissions for a specific user.

As you can see in Example 2, I have selected the user test and his allow and deny permissions to the file show up.

Notice how user test does not have any deny permissions? This is not a code error. In fact, he does not have any revoked or denied permissions at all.

In Figure 2, I show the code for lstUsers_SelectedIndexChangedEvent which shows the permissions for a specific user that is selected from the list.  

 

Figure 2 - lstUsers_SelectedIndexChanged

 

Example 2: Selection of a specific user

Private Sub lstUsers_SelectedIndexChanged(sender As Object, e As EventArgs) H And les lstUsers.SelectedIndexChanged
 user = ""
 user = lstUsers.SelectedItem.ToString
 Dim fi As New FileInfo(filename)
 Dim fs As New FileSecurity
 fs = fi.GetAccessControl
 Dim object1 As Type = Type.GetType("System.Security.Principal.NTAccount")
 lstAllowPermissions.Items.Clear()
 lstDenyPermissions.Items.Clear()
 For Each AuthRule As FileSystemAccessRule In fs.GetAccessRules(True, True, object1)
  If AuthRule.IdentityReference.Value.ToString = lstUsers.SelectedItem.ToString Then
  Dim ACL_Type As String =""
  If AuthRule.AccessControlType.Equals(AccessControlType.Deny) Then
   ACL_Type = "Deny"
  Else
   ACL_Type = "Allow"
  End If
  Dim permissions As String =""
  If (AuthRule.FileSystemRights And FileSystemRights.FullControl) = FileSystemRights.FullControl Then
   permissions = "Full Control"
   If ACL_Type ="Allow" And permissions <>"" Then
   lstAllowPermissions.Items.Add(permissions)
   lstAllowPermissions.SetItemChecked(lstAllowPermissions.Items.Count - 1, True)
   End If
   If ACL_Type ="Deny" And permissions <>"" Then
   lstDenyPermissions.Items.Add(permissions)
   lstDenyPermissions.SetItemChecked(lstDenyPermissions.Items.Count - 1, True)
   End If
  End If
  If (AuthRule.FileSystemRights And FileSystemRights.Modify) = FileSystemRights.Modify Then
   permissions = "Modify"
   If ACL_Type ="Allow" And permissions <>"" Then
   lstAllowPermissions.Items.Add(permissions)
   lstAllowPermissions.SetItemChecked(lstAllowPermissions.Items.Count - 1, True)
   End If
   If ACL_Type ="Deny" And permissions <>"" Then
   lstDenyPermissions.Items.Add(permissions)
   lstDenyPermissions.SetItemChecked(lstDenyPermissions.Items.Count - 1, True)
   End If
  End If
  ?... more permissions can be added here
 Next
End Sub

 


Adding/Removing permissions

In this section, permissions are added or removed/denied but are not set on the file.We will be adding new permissions to allow or deny permission lists. The next code section will show how to actually set the new permissions we selected for the file. In Figure 3, permissions are added to allow or deny lists depending upon what is selected in the cboACLType list box. In Figure 4, the code is displayed for removing currently displayed Allow or Deny permissions. Note: you must remove the permission before changing to the next user or changes may be lost. To remove an item, uncheck it in the list box  And  click Remove Permissions. 

Example 3: Add New Allow or Deny Permissions

 

Private Sub BtnAdd_Click(sender As Object, e As EventArgs)H And les BtnAdd.Click
 If cboACLType.SelectedItem ="Allow" Then
  If lstAllowPermissions.Items.IndexOf(cboPermissionList.SelectedItem) = -1 And _
    filename <>"" And _
    lstUsers.SelectedIndex <> -1 Then
  'filename must be something or a files properties have not been loaded
   
  lstAllowPermissions.Items.Add(cboPermissionList.SelectedItem.ToString)
  lstAllowPermissions.SetItemChecked(lstAllowPermissions.Items.Count - 1, True)
  AllowPermissions.Add(_
    lstAllowPermissions.Items.Item(_
    lstAllowPermissions.Items.IndexOf(cboPermissionList.SelectedItem.ToString)))
  End If
 ElseIf cboACLType.SelectedItem ="Deny" Then
  If lstDenyPermissions.Items.IndexOf(cboPermissionList.SelectedItem) = -1 And _
    filename <>"" And _
    lstUsers.SelectedIndex <> -1 Then
 
  lstDenyPermissions.Items.Add(cboPermissionList.SelectedItem.ToString)
  lstDenyPermissions.SetItemChecked(lstDenyPermissions.Items.Count - 1, True)
  DenyPermissions.Add(_
    lstDenyPermissions.Items.Item(_
    lstDenyPermissions.Items.IndexOf(cboPermissionList.SelectedItem.ToString)))
  End If
 End If
End Sub

 

 Figure 4 – showing how the deny permissions were applied to the file.

In Example 4, see how the Permission Entry for devices (devices.txt file) Dialog above is showing only the Deny permission of List Directory Contents and there is a new Deny rule added. The new rule is added when the List folder permission is changed to deny. This rule is only applied though when we click BtnSet Permissions (also called the Set Permissions button) before moving onto the next user. Note: these are local file permissions and do not include changing any active directory permissions. 

 


Notes

This file is an authorized copy of the following article by the same author: Better to ask for permission  Then forgiveness codeproject original article.

The formatting of this Wiki article maybe be improved or different compared to the original version.

 


Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 2 (12 items) 12