M# Tutorials

Learn to build .NET applications with M#. Our step-by-step tutorials will get you up-to-speed rapidly.
If you already know ASP.NET and C#, you can master M# in a week or two.

File Security

In the first two tutorials on security, we discussed Authentication and Role Based Authorization which severs the security requirements for pages and their contents comprehensively.

In this tutorial, we will learn about securing file / documents in a website. M# supports access control on files, which restricts unauthorized user access to secure files using their URL. M# provides “File” type, which is used to store all types of documents e.g. images, text documents etc. For more information read tutorial File in chapter 2.

Implementing Security

In order to implement file security, you must mark a file secure using “Secure access” attribute as shown below:

The screenshot above demonstrates that we have an “Employee” entity type, which has a property “Contract” of type “File”. We have marked the “Contract” property as secure by applying “secure access” attribute.

M# stores all secure files in “App_data” folder, which can be changed using app setting property “UploadFolder.Secure”. This is the default location for security reasons, because “App_data” is by default a restricted folder in IIS.

Files marked as secure are not rendered using their original URL, rather they are renders through a special page URL “Download.File.aspx” and a request to this page is handled in M# framework.

For each secure file type property you must implement a method in the business logic, which is invoked by the M# framework. M# framework requires a specific Naming format “Is + PropertyName + VisibleTo” in order to invoke the method. This method should only require one argument of Interface type “IUser” and must have “bool” return.

The code shown below implements File Security for file type “Contract” in entity “Employee” by restricting access only to administrators.