+1-888-365-2779
Try Now
More in this section

Forums / Security / Securing the file system

Securing the file system

8 posts, 0 answered
  1. Eric Wallace
    Eric Wallace avatar
    66 posts
    Registered:
    08 Oct 2009
    24 May 2010
    Link to this post
    I've noticed that when I go into "Files" from the sitefinity admin, I can right-click on web.config, copy it, paste it, rename it to webconfig.txt, and then I can open that text file through a web browser, which is a major security issue for us. Is there any way to prevent this from happening?
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    24 May 2010
    Link to this post
    Hi Eric Wallace,

    You could hide some of the files or disable the files section for a given roles. You may find this post useful - File Manager - Hide Folders

    Best wishes,
    Ivan Dimitrov
    the Telerik team

    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
  3. Eric Wallace
    Eric Wallace avatar
    66 posts
    Registered:
    08 Oct 2009
    24 May 2010
    Link to this post
    Thanks Ivan, I have that part working. Now I have the same issue when I go to insert a document through the radeditor. Is there a similar fix?

    For anyone that may stumble upon this, my solution was the following:

    ~/Sitefinity/Admin/Files.aspx.cs
    private string[] _restrictedFolders = new string[] { "App_Code", "App_Data", "Sitefinity", "App_Master", "bin" };
        private string[] _restrictedFiles = new string[] { ".config", ".cs" };
     
    protected override void OnPreRender(EventArgs e)
        {
            base.OnPreRender(e);
            if (fileManager.Mode == FileManagerMode.Upload)
                mainPanel.Attributes.Add("class", "wrapperUpload");
            else
                mainPanel.Attributes.Add("class", "wrapperBrowser");
             
            RadTreeView foldersTree = (RadTreeView)foldersNavigation.Controls[0].FindControl("foldersTree");
            RadGrid fileGrid = (RadGrid)fileManager.Controls[1].Controls[2].FindControl("fileGrid");       
     
            foreach (var tNode in foldersTree.GetAllNodes())
            {
                foreach (string restrictedFolder in _restrictedFolders)
                {
                    if (tNode.Text.ToLower() == restrictedFolder.ToLower())
                    {
                        tNode.Visible = false;
                        break;
                    }
                }
            }
     
            fileGrid.ItemDataBound += new GridItemEventHandler(fileGrid_ItemDataBound);
        }
     
    void fileGrid_ItemDataBound(object sender, GridItemEventArgs e)
        {
            if ((e.Item.ItemType == GridItemType.Item) || (e.Item.ItemType == GridItemType.AlternatingItem) || (e.Item.ItemType == GridItemType.EditItem))
            {
                if (e.Item is GridDataItem)
                {
                    GridDataItem dataItem = e.Item as GridDataItem;
                    foreach (string restrictedFolder in this._restrictedFolders)
                    {
                        if (dataItem["Name"].Text.Equals(restrictedFolder))
                        {
                            dataItem.Display = false;
                        }
                    }
     
                    foreach (string restrictedFile in this._restrictedFiles)
                    {
                        if (dataItem["Name"].Text.ToLower().IndexOf(restrictedFile.ToLower()) > -1)
                        {
                            dataItem.Display = false;
                        }
                    }
                }
            }
        }
  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    24 May 2010
    Link to this post
    Hi Eric Wallace,

    In the Dialogs we use WebUITypeEditor. To restrict the access you should create a custom WebUITypeEditor and replace the default one UrlWebEditor referenced in the template Sitefinity\Admin\ControlTemplates\Libraries\Dialogs\ItemSelector.ascx

    <telerik:RadPageView runat="server" ID="pageViewFiles">
            <div id="fileManagerWrapepr"><cc:UrlWebEditor id="urlWebEditor" runat="server" /></div>


    Greetings,
    Ivan Dimitrov
    the Telerik team

    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
  5. Eric Wallace
    Eric Wallace avatar
    66 posts
    Registered:
    08 Oct 2009
    25 May 2010
    Link to this post
    Thanks Ivan, unfortunately that didn't leave me with much to go on. I've created a custom control that inherits from UrlWebEditor. In the CreateChildControls method, I'm able to find the RadGrid and attach the itemdatabound event, which is working fine and the folders and files are being filtered properly the first time the control loads. However, when I drill into one of the folders and then click on the "Folder Up" button, the grid is rebound and ignores the itemdatabound event handler. The "Create New Folder" button is also causing a similar issue.

    Is there no other way to set security on the file browser dialogs? I would think that would be a pretty serious security concern to give everyone who has access to a radeditor the ability to rename, copy, or delete any file within the project on the file system.

    Thanks for your help on this,
    Eric
  6. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    25 May 2010
    Link to this post
    Hi Eric Wallace,

    There are not permissions set over UrlWebEditor and Files section of the CMS in 3.x edition. Actually the dialog does not implement any security settings  related to the file system. Such problems are sorted out in Sitefinity 4.0. Another option would be hiding the grid for certain roles.

    Best wishes,
    Ivan Dimitrov
    the Telerik team

    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
  7. Eric Wallace
    Eric Wallace avatar
    66 posts
    Registered:
    08 Oct 2009
    25 May 2010
    Link to this post
    Understood. Can you tell me what event is being fired when you click on a File Folder inside of a RadGrid? The command name on the link button is "Open", but nothing happens when I give the grid an ItemCommand event handler.
  8. Eric Wallace
    Eric Wallace avatar
    66 posts
    Registered:
    08 Oct 2009
    25 May 2010
    Link to this post
    I have my solution...I just disabled all the context menus in ~/Sitefinity/Admin/Files.aspx, and did the same in my custom control which replaced the UrlWebEditor in ~/Sitefinity/Admin/ControlTemplates/Libraries/Dialogs/ItemSelector.ascx

    Thanks for your help on this, Ivan.


    Here's the custom control code in case anyone ever needs it:
          public class RestrictedUrlWebEditor : Telerik.FileManager.UrlWebEditor
        {
            protected override void OnPreRender(EventArgs e)
            {
                base.OnPreRender(e);
     
                ManageFiles mFiles = (ManageFiles)this.Controls[0];
                RadGrid filesGrid = (RadGrid)mFiles.Controls[1].Controls[2].Controls[0];
                filesGrid.ClientSettings.ClientEvents.OnRowContextMenu = null;
            }
        }
Register for webinar
8 posts, 0 answered