Home/ Questions/Q 6926785
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T10:57:48+00:00

I have a folder with some heavy restrictions on it. For one user, this

  • 0

I have a folder with some heavy restrictions on it. For one user, this person can see if a file exists, but cannot copy the file out, open the file, etc. The ONLY thing they can do is to see if the file exists.

When I look at the top-level, I see List folder contents is checked. That’s the ONLY permission they are allowed to have.

enter image description here

Now, when use C# to pull the rights, I see that SEVERAL items are set, not just one. And when I look deeper into the rights, I see that at this lower level, the corresponding items are checked.

enter image description here

When I get the rights to this folder, it shows that the folder has “READ” access because the low-level flag for read is set. HOWEVER, I’ve tested with this user’s account. They most certainly do not have read access.

If I re-create a new folder and set the rights as listed here, the user can then copy files out of the new folder, which they should NOT be able to do.

I don’t understand the Windows security model.

How can I verify that the user has LIST access, but not READ access? What would I query for, specifically? NOTE: Querying for “List Folder/Read Data” but not “Read Permissions” does NOT work, as you can see below. Both of those are apparently set by the higher-level “List Folder Contents” option.

UPDATE:

I’m including the code snip I use to pull the information. Maybe that will help define what I’m looking for.

    internal void GroupsFromPath(string pth, bool IncludeInherited)
    {
        DirectorySecurity ds;
        try
        {
            DirectoryInfo di = new DirectoryInfo(pth);
            ds = di.GetAccessControl(AccessControlSections.Access);
        }
        catch
        {
            return ret;
        }

        AuthorizationRuleCollection acl = ds.GetAccessRules(true, 
                IncludeInherited, typeof(NTAccount));

        foreach (FileSystemAccessRule ace in acl)
        {
            bool L = CheckRights(ace, FileSystemRights.Traverse |
                FileSystemRights.ListDirectory);

            bool R = CheckRights(ace, FileSystemRights.Read);
            bool W = CheckRights(ace, FileSystemRights.Modify);

            DO_MAGIC(pth, L, R, W);
        }
    }

    private bool CheckRights(FileSystemAccessRule ACE, 
            FileSystemRights fileSystemRights)
    {
        bool r = ((ACE.FileSystemRights & fileSystemRights) == fileSystemRights) 
            && (ACE.AccessControlType == AccessControlType.Allow);

        return r;
    }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For LIST access you have to make sure that the permissions only apply to “This folder and subfolders” (see your screenshot).

    The FileSystemAccessRule‘s InheritanceFlags property must be set to InheritanceFlags.ContainerInherit and the PropagationFlags property must be set to PropagationFlags.None.

    For a complete list (InheritanceFlags/PropagationFlags) see the blog of Damir Dobric.

    BEGIN EDIT

    To check whether or not a given FileSystemAccessRule realizes “List Folder Content Only” permissions
    you can use the following method (using the InheritanceFlags and PropagationFlags properties):

    private static bool CheckListFolderContentOnly(FileSystemAccessRule ace)
{
  if (ace.PropagationFlags == PropagationFlags.None &&
      ace.InheritanceFlags == InheritanceFlags.ContainerInherit &&
      ace.FileSystemRights == (FileSystemRights.ReadAndExecute | FileSystemRights.Synchronize))
  {
    return true;
  }

  return false;
}

    END EDIT

    Hope, this helps.

    • 0