File.Exists - need to know if the caller does not have permissions

[Guest]

By design File.Exists method returns false if the caller does not have permission, even if the file actually exists at the specified path. No exception is thrown

How can I differentiate between a case where file is truly not found and a case where there are no permissions

Thanks

-Stan

 

[Guest]

You could use a proxy user with full rights to check if the file exists... then you can use the users rights to control access to the file.

 

[Guest]

I may not know a user with the full rights.

----- hass chapman wrote: ----

You could use a proxy user with full rights to check if the file exists... then you can use the users rights to control access to the file.

 

[Anon]

You could demand with FileIOPermission yourself before the call to
File.Exists. Unfortunately this will probably be a performance hit because
you and the call to File.Exists will demand a stack walk.

This really is a design flaw, good catch.

By design File.Exists method returns false if the caller does not have

permission, even if the file actually exists at the specified path. No
exception is thrown.

How can I differentiate between a case where file is truly not found and a

case where there are no permissions?

 

[Anon]

Actually if you test for exists first, then on return of false you do the
FileIOPermission demand to see if it was because of permissions, you incur
the performance hit only when exists return false.

 

[Guest]

I would prefer an overload with an additional boolean parameter. If the parameter is set to true, the method throws an exception if a caller does not have permissions and returns false in case where file does not exists, but permissions are sufficient. If the parameter is set to false, it works as it is now..

Thanks for your pos

----- Anon wrote: ----

Actually if you test for exists first, then on return of false you do th
FileIOPermission demand to see if it was because of permissions, you incu
the performance hit only when exists return false

 

[JD]

I would prefer an overload with an additional boolean parameter. If the
parameter is set to true, the method throws an exception >if a caller does
not have permissions and returns false in case where file does not exists,
but permissions are sufficient. If the >parameter is set to false, it works
as it is now...

I don't know if I would agree to this. The action Exists, defined by its
name, exposes one intention revealing purpose, to see if a file exists. The
File.Exists action of checking for security permissions and then returning
false, is not revealed in the name Exists, it fools the user and then forces
the user to know whats going on inside when it does not behave as its name
implies, hence your problem. Its bad design.

I would prefer an overload with an additional boolean parameter. If the

parameter is set to true, the method throws an exception if a caller does
not have permissions and returns false in case where file does not exists,
but permissions are sufficient. If the parameter is set to false, it works
as it is now...

 

[MSFT]

Hello,

Thank you for using the community. I am Luke and I am review this issue
currently. Regarding the issue, I agree with Anon, when a user has no
enough permission, the file should be "invisble" to him. With this
situation, a FileIOPermission demand should be a proper solution. I compose
a function with FileIOPermission demand, you may refer to it:

Imports System.Security
Imports System.Security.Permissions

...

Public Function MyFileExist(ByVal FilePath As String)

If System.IO.File.Exists(FilePath) then
return True;
Else

Dim permFileIO As FileIOPermission = New
FileIOPermission(FileIOPermissionAccess.AllAccess, FilePath)

Try
permFileIO.Demand()

return True
Catch se As Exception
Return False
End Try

End If

End Sub

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

The name Exist does not reveal that a file may exists but a user may not have permissions to see it. The file may either exist or not. Third state (no permission) is an exception. Don't you agree

----- JD wrote: ----

I would prefer an overload with an additional boolean parameter. If th

parameter is set to true, the method throws an exception >if a caller doe
not have permissions and returns false in case where file does not exists
but permissions are sufficient. If the >parameter is set to false, it work
as it is now..

I don't know if I would agree to this. The action Exists, defined by it
name, exposes one intention revealing purpose, to see if a file exists. Th
File.Exists action of checking for security permissions and then returnin
false, is not revealed in the name Exists, it fools the user and then force
the user to know whats going on inside when it does not behave as its nam
implies, hence your problem. Its bad design

I would prefer an overload with an additional boolean parameter. If th

parameter is set to true, the method throws an exception if a caller doe
not have permissions and returns false in case where file does not exists
but permissions are sufficient. If the parameter is set to false, it work
as it is now..

 

[Anon]

The name Exist does not reveal that a file may exists but a user may not
have permissions to see it. The file may either exist or not. Third state
(no permission) is an >exception. Don't you agree?

I was originally thinking this but reading into what Luke wrote, it seems
that the intended action is, if a caller doesn't have rights then the file
does not exist to the caller. Viewing it from a security standpoint this is
correct action because its a security leak if an unauthorized caller
determines that the file exists because they get an unauthorized exception.
Unauthorized callers shouldn't get any information about a file period.

So now I take back what I said, its not a design flaw (fickle ain't I). If
you want/need to know whether a user has permissions or not, you must check
permissions yourself, its not the responsibility of the Exists method to do
that for you.

The name Exist does not reveal that a file may exists but a user may not

have permissions to see it. The file may either exist or not. Third state
(no permission) is an exception. Don't you agree?

 

[Guest]

How do I deal with 10,000 folders and files ?

In particular I get tripped up by the System Volume Information directory.

This seems very complicated and to me this appears to be either a serious flaw or intentional fence to prevent the development of good software.