How to restrict Access at folder level using VirtualPath Providers?
In EPiServer CMS 5.0 to add a folder under the ‘File Management', we added an entry in the webconfig file under the virtualPathProviders and mapped to a virtual folder C:/ExternalDocuments and the entry is as follows:
<add showInFileManager="true" virtualName="External Docs" virtualPath="~/ExternalDocuments/"
name="ExternalDocs" type="EPiServer.Web.Hosting.VirtualPathNativeProvider,EPiServer" />
On performing this we have the folder appearing under the ‘File Management' as ‘External Docs' and the contents of the virtual folder are mapped correctly.
We are able to upload a file both from EpiServer's Upload option as well as copy the files to the folder (C:/ExternalDocuments/) directly.
To retrieve and display the contents of the file in EpiServer, a PageType with property name ExternalLinkProp and type URL to document is created.
The file must have restricted access, and so we control it by giving them folder level access as we do not have file level security in EpiServer CMS 5.0. Now the problem is in security, i.e., though we are giving rights to the particular user alone, by default all users are able to view the contents having ‘Read' access.
We are reading the file and rendering the contents to the aspx page.
Below is the code written for rendering the files content.
public partial class ShowHtmlContent : TemplatePage
protected void Page_Load(object sender, EventArgs e)
String strExternalHtmlURL = CurrentPage["ExternalLinkProp"].ToString();
String strCurrentUser = PrincipalInfo.Current.Name;
VirtualPathNativeProvider vpnp = (VirtualPathNativeProvider)VirtualPathHandler.GetProvider("ExternalDocs");
AccessLevel currentAccessLevel = vpnp.QueryAccess(strExternalHtmlURL,PrincipalInfo.CurrentPrincipal);
//This is always giving ‘read' as o/p
String strHtmlContent = ParseHTML(strExternalHtmlURL);
if (strHtmlContent != null)
divRenderHTML.InnerHtml = strHtmlContent;
//rendering the contents
//Method to read the file
public static string ParseHTML(string filePath)
StreamReader srHTMLContents = new StreamReader(filePath, Encoding.Default);
string strContents = string.Empty;
strContents = srHTMLContents.ReadToEnd();
catch (Exception oEx)
srHTMLContents = null;
We are able to restrict access only by giving page level security to users. But this is not what we wanted.
How to control this and restrict access at folder level rather than page level?
Thanks in Advance...