Posted: 7/18/2011
Hello,
I'm wondering what is the best practices to restrict access/views to images based on a user's group?
For example:-
You have a web site that contains galleries with images. Based on preferences you can set to any gallery, you can restrict which user groups can view images in the gallery. Say you have the following user groups:-
Administrators, Officials, Special Registered Users, Registered Users
You also have anonymous browsers, ie, people who are not logged in and just browsing the site.
Say you can create galleries that can restrict viewing access, you could have a gallery that only allows users that are Administrators, Officials and Special Registered users to see images in this gallery - but not Registered useres or anonymous browsers, you may have a gallery that allows Administrators, Officials, Special Registered Users and Registered users to see the images - but not anonymous browsers, you may have a gallery that allows any user group to see the images in a gallery, including anonymous/not logged in people.
Say for instance you also save 3 versions (sizes) of uploaded images, for instance, "myimage_large.jpg", "myimage_med.jpg", "myimage_small.jpg". The idea is that how can you stop users from say directly accessing image urls, such as:-
http://www.mysite.com/images/gallery1/myimage_large.jpgSay for instance you have gallery1 which only allows users that are Admins, Officials and Special Registers users to see these images....but lets say a Registered user decides to be sneaky and try to access the jpg files directly, like above - and it will display them, even though they shouldn't see them.
Likewise, an anonymous browser could try and guess the url of the image and have it displayed for them as a way to get around to not being able to see them through web pages (due to security checks). How would you go about implementing this?Any help would be greatly appreciated.Thankyou.
Hi,If you want to restrict users to access the images directly i.e if someone tries to access this url http://yoursite.com/images/1.jpg you can restrict him via putting the restriction at your images folder, you can set it via web config:
<configuration> ................ <location path="Images"> <system.web> <authorization> <deny users="*"/> </authorization> </system.web> </location> </configuration>
The above code will deny the users accessing images folder. Now for generating the images you can use HTTPHandler. Instead of requesting direct images, user will request handler like this http://yoursite.com/Test.ashx?image=1.jpg and you can generate the images via this handler. You can put your permission logic (you can check roles etc. here) here to check whether to deliver the image to end user or not. The code for handler will be like this:
using System; using System.Web; namespace TestProject { /// <summary> /// Summary description for Test1 /// </summary> public class Test1 : IHttpHandler { public void ProcessRequest(HttpContext context) { HttpRequest request = context.Request; HttpResponse response = context.Response; HttpCachePolicy cache = context.Response.Cache; var requestedImage = request["image"]; //Your permission logic will come here var requestedImagePath = context.Server.MapPath(string.Format("~/Images/{0}", requestedImage)); //Set cache time for images var maxAge = new TimeSpan(0, 30, 0); response.ContentType = "image/jpg"; cache.SetCacheability(HttpCacheability.Private); cache.SetExpires(DateTime.UtcNow.Add(maxAge)); cache.SetMaxAge(maxAge); context.Response.WriteFile(requestedImagePath); } public bool IsReusable { get { return false; } } } }
