如何獲取當前系統用戶對文件/文件夾的操作權限?
1.獲取安全信息DirectorySecurity
DirectorySecurity fileAcl = Directory.GetAccessControl(folder);
通過Directory.GetAccessControl獲取文件夾的權限/安全信息
詳細介紹,可參考MSDN官方文檔
對文件/文件夾權限的詳細操作,可參考一篇博客C#文件夾權限操作
2. 獲取文件夾訪問權限列表FileSystemAccessRule
var rules = fileAcl.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).OfType<FileSystemAccessRule>().ToList();
GetAccessRules()方法返回的是AuthorizationRule集合,此處只需要獲取文件權限。
FileSystemAccessRule繼承自AuthorizationRule,並新增倆個屬性
- AccessControlType -- 枚舉 Allow/Deny
- FileSystemRights -- 對文件的訪問權限詳細信息(讀/寫等),可見下面列表:
1 /// <summary>定義要創建訪問和審核規則時使用的訪問權限。</summary> 2 [Flags] 3 public enum FileSystemRights 4 { 5 ReadData = 1, 6 ListDirectory = ReadData, // 0x00000001 7 WriteData = 2, 8 CreateFiles = WriteData, // 0x00000002 9 AppendData = 4, 10 CreateDirectories = AppendData, // 0x00000004 11 ReadExtendedAttributes = 8, 12 WriteExtendedAttributes = 16, // 0x00000010 13 ExecuteFile = 32, // 0x00000020 14 Traverse = ExecuteFile, // 0x00000020 15 DeleteSubdirectoriesAndFiles = 64, // 0x00000040 16 ReadAttributes = 128, // 0x00000080 17 WriteAttributes = 256, // 0x00000100 18 Delete = 65536, // 0x00010000 19 ReadPermissions = 131072, // 0x00020000 20 ChangePermissions = 262144, // 0x00040000 21 TakeOwnership = 524288, // 0x00080000 22 Synchronize = 1048576, // 0x00100000 23 FullControl = Synchronize | TakeOwnership | ChangePermissions | ReadPermissions | Delete | WriteAttributes | ReadAttributes | DeleteSubdirectoriesAndFiles | Traverse | WriteExtendedAttributes | ReadExtendedAttributes | CreateDirectories | CreateFiles | ListDirectory, // 0x001F01FF 24 Read = ReadPermissions | ReadAttributes | ReadExtendedAttributes | ListDirectory, // 0x00020089 25 ReadAndExecute = Read | Traverse, // 0x000200A9 26 Write = WriteAttributes | WriteExtendedAttributes | CreateDirectories | CreateFiles, // 0x00000116 27 Modify = Write | ReadAndExecute | Delete, // 0x000301BF 28 }
因為AuthorizationRule中,IdentityReference對應權限的用戶/用戶組標識,格式為:"MYDOMAIN\MyAccount"
所以,如通過當前系統用戶名與IdentityReference匹配,即可獲取FileSystemAccessRule權限。如何獲取用戶名,見下一段落
3. 獲取當前系統用戶名/用戶組
通過 System.Environment.UserDomainName 和 System.Environment.UserName 取得當前用戶名
對當前系統用戶名/用戶組的其它操作,可參考
因此,將Path.Combine(Environment.UserDomainName, Environment.UserName)與IdentityReference.Value比較,獲取當前用戶對文件夾的權限信息
詳細實現如下:
1 /// <summary> 2 /// 檢查當前用戶是否擁有此文件夾的操作權限 3 /// </summary> 4 /// <param name="folder"></param> 5 /// <returns></returns> 6 public static bool HasOperationPermission(string folder) 7 { 8 var currentUserIdentity = Path.Combine(Environment.UserDomainName, Environment.UserName); 9 10 DirectorySecurity fileAcl = Directory.GetAccessControl(folder); 11 var userAccessRules = fileAcl.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).OfType<FileSystemAccessRule>().Where(i=>i.IdentityReference.Value==currentUserIdentity).ToList(); 12 13 return userAccessRules.Any(i => i.AccessControlType == AccessControlType.Deny); 14 }
獲取文件夾是否有刪除權限(僅刪除空文件夾):
1 /// <summary> 2 /// 檢查當前用戶是否擁有此文件夾的刪除操作權限 3 /// </summary> 4 /// <param name="folder"></param> 5 /// <returns></returns> 6 public static bool HasDeleteOperationPermission(string folder) 7 { 8 var currentUserIdentity = Path.Combine(Environment.UserDomainName, Environment.UserName); 9 10 DirectorySecurity fileAcl = Directory.GetAccessControl(folder); 11 var userAccessRules = fileAcl.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).OfType<FileSystemAccessRule>().Where(i => i.IdentityReference.Value == currentUserIdentity).ToList(); 12 13 if (userAccessRules.Count > 0 && 14 userAccessRules.Any(i => (i.FileSystemRights & FileSystemRights.Delete) != 0 && i.AccessControlType == AccessControlType.Allow)) 15 { 16 17 return true; 18 } 19 return false; 20 }