问题
I have a problem figuring out the permission set to get Directory.GetFiles() to work in an assembly used by SQL Server reporting services.
Background
Basically, I use this assembly to perform two things:
- read images from a file share
- enumerate all images in a folder on that share.
Feature 1: Reading an image (works fine)
Reading images works using a custom permission set:
<PermissionSet class="NamedPermissionSet"
version="1"
Name="MyCustomImagePermissionSet"
<IPermission class="FileIOPermission"
version="1"
Read="\\MyServer\MyFolder"/>
<IPermission class="SecurityPermission"
version="1"
Flags="Assertion, Execution"/>
</PermissionSet>
and referencing this permission set in a custom code group:
<CodeGroup class="UnionCodeGroup"
version="1"
PermissionSetName="MyCustomImagePermissionSet"
Name="MyImageCodeGroup"
<IMembershipCondition class="UrlMembershipCondition"
version="1"
Url="C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\MyProject\MyProject.Reports.Code.dll"
/>
</CodeGroup>
(Snippets taken from RSPreviewPolicy.config)
In my code, I use an assertion before opening a FileStream:
private Image LoadOriginalImageByPath(string path)
{
new FileIOPermission(FileIOPermissionAccess.Read, path).Assert();
Image originalImage;
using (var imageStream = new FileStream(path, FileMode.Open, FileAccess.Read))
{
originalImage = Image.FromStream(imageStream);
}
return originalImage;
}
Feature 2: Enumerating files in Directory (does not work)
Enumerating all the files in a subdirectory on the file server always results in a SecurityException:
System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) at System.Security.CodeAccessPermission.Demand() at System.IO.Directory.InternalGetFileDirectoryNames(String path, String userPathOriginal, String searchPattern, Boolean includeFiles, Boolean includeDirs, SearchOption searchOption) at System.IO.Directory.GetFiles(String path, String searchPattern, SearchOption searchOption) at System.IO.Directory.GetFiles(String path, String searchPattern) at MyProject.Reports.Code.ImageTools.GetImagesFullPaths(String searchDirectory, Int32 registerNr) The action that failed was: Demand The type of the first permission that failed was: System.Security.Permissions.FileIOPermission The Zone of the assembly that failed was: MyComputer
Here's the code:
public static IEnumerable<string> GetImagesFullPaths(string searchDirectory, int registerNr)
{
var pattern = string.Format("M{0:00000}?.jpg", registerNr);
new FileIOPermission(FileIOPermissionAccess.PathDiscovery | FileIOPermissionAccess.Read, searchDirectory).Assert();
return Directory.GetFiles(searchDirectory, pattern);
}
Workaround: Using FullTrust
The only way I found to get around the problem is to use FullTrust for the custom assembly. But obviously, that makes the admin uneasy.
The Question
What am I missing to get the Directory.GetFiles() work without using the FullTrust permission set?
Edit
Thanks to the accepted answer, the solution is adding the PathDiscovery attribute to the permission element resulting in
<PermissionSet class="NamedPermissionSet"
version="1"
Name="MyCustomImagePermissionSet"
<IPermission class="FileIOPermission"
version="1"
Read="\\MyServer\MyFolder"/>
PathDiscovery="\\MyServer\MyFolder"/>
<IPermission class="SecurityPermission"
version="1"
Flags="Assertion, Execution"/>
</PermissionSet>
Thx!
回答1:
Enumerating files requires FileIOPermissionAccess.PathDiscovery on the target path. You need to add this to your custom permission set.
BTW, asserting the permission is essentially useless since the assert will not work unless your code already has the permission. (Assertions are only useful if you want your code to execute something that its calling code does not have permissions to do.)
来源:https://stackoverflow.com/questions/7093702/ssrs-cannot-figure-out-permission-set-for-enumerating-files-in-directory