Re: When to explicitly check permission

From: Nicole Calinoiu (calinoiu)
Date: 10/29/04 

Date: Fri, 29 Oct 2004 12:13:31 -0400

"Andreas Håkansson" <andreas.hakansson@nospam.com> wrote in message
news:e0H1hJcvEHA.1988@TK2MSFTNGP12.phx.gbl...
> When should you explicitly check for correct permission? Perhaps this
> sounds
> strang, I know, but stick with me for a moment. For example the
> GetCurrentDirectory
> method on the Directory class throws an UnauthorizedAccessException if the
> caller doesn't have access to the I/O operation, so there wouldn't be any
> point
> in doing a Demand call on a FileIOPermission object and possibly trap a
> SecurityException instead would there?

The UnauthorizedAccessException is thrown when the operating system denies
access, not when .NET denies access due to CAS permissions. However, the
Directory.GetCurrentDirectory method will implement a demand for
FileIOPermission.PathDiscovery for the target directory (assuming the
Windows API call doesn't fail first), so there's probably not much point in
implementing your own demand.

> The Exists method on the File class performs a call to the Demand method
> on a
> FileIOPermission object interally, but never rethrows the
> SecurityException (among
> others) which can occure internally in the method, but instead returns
> False - so why
> should I do an explicit check my self before I call the method? Or
> shouldn't I ? =)

If the behaviour as implemented is OK with you, there's no point in
performing a preliminary demand for the same permission.

> The Framework is litered with scenarios like these. A few places I have
> used it is with
> the SQLClientPermission and SecurityPermission (to be sure I could call
> into unmanged
> code - COM Interop scenario), but I would like some more generall
> guidelines for this
> kind of stuff to improve the overall quality of my code.

There's really only one scenario in which you might typically want to
implement a demand of your own for a permission that's already being
demanded by a method that you're calling. This is when you're going to loop
through many calls of the target method, and you want to avoid the full
stack walk in each iteration of the loop. You could instead use a sequence
like the following: demand -> assert -> loop -> revert the assertion. Of
course, the usual assertion caveats apply.

>
> Cheers! =)
>
> //Andreas
>
>
>

Relevant Pages

  • Re: security exception for aspx page
    ... permission that is being demanded is. ... demand is called so that the stack walk is stopped (note, ... - Create your own assembly that goes in the GAC that wraps their assembly ...
    (microsoft.public.dotnet.security)
  • about permissions
    ... Assert vs Demand ... With assert, the immediate caller must have permission to ...
    (microsoft.public.cert.exam.mcad)
  • Re: Security Exception
    ... > the connecting users according to the Local Users and Groups on ... > permission = permission.Union(new PrincipalPermission(null, ... Demand() method does. ... or not the role and ID of the PrincipalPermission match ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Strong names between exe and dll
    ... The second option in that paragraph is that C does a full demand on the identity permission, which will ensure that everyone on your call stack is ... >If I have an exe that is mine and a dll that is mine, both strongname signed ...
    (microsoft.public.dotnet.security)
  • Re: How do you copyright your photographs?
    ... nor does posting to the web or Usenet meet ... posted in the clear on usenet. ... explicit permission to download and *view* an image; ...
    (rec.photo.digital)