madSecurity and GetEffectiveRightsFromAcl
Posted: Thu May 13, 2010 3:34 am
hello,
i need to determine if the current user can delete a file before attempting to process it.
unfortunately i can't just create then delete a temp file in the directory as the directory is being monitored by shell events, so it looks like i need to play with GetEffectiveRightsFromAcl.
i've found code showing how to do it using jwscl, however i'd prefer to use madSecurity.
here's what i have so far:
this appears to work (it doesn't throw an error!) however i'm not sure how to interpret the returned rights.
as a test i blocked my ability to read the file, and used:
however this code reports that i have read_control access.
is anyone able to point me in the right direction please?
i need to determine if the current user can delete a file before attempting to process it.
unfortunately i can't just create then delete a temp file in the directory as the directory is being monitored by shell events, so it looks like i need to play with GetEffectiveRightsFromAcl.
i've found code showing how to do it using jwscl, however i'd prefer to use madSecurity.
here's what i have so far:
Code: Select all
uses madSecurity, AclApi, AccCtrl, ...;
var
secObj: ISecurityObject;
dacl: IAcl;
user: IAccount;
trustee: _TRUSTEE_A;
rights: cardinal;
status: cardinal;
s: string;
begin
secObj := FileSecurity('C:\temp\filename.ext');
dacl := secObj.DAcl;
user := CurrentUser();
trustee.pMultipleTrustee := nil;
trustee.MultipleTrusteeOperation := NO_MULTIPLE_TRUSTEE;
trustee.TrusteeForm := TRUSTEE_IS_SID;
trustee.TrusteeType := TRUSTEE_IS_USER;
trustee.ptstrName := user.PSid;
status := GetEffectiveRightsFromAcl(dacl.PAcl^, trustee, rights);
if (status <> ERROR_SUCCESS) then
raise exception.Create('#' + inttostr(status) + ' ' + SysErrorMessage(status));
end;
as a test i blocked my ability to read the file, and used:
Code: Select all
s := '';
if ((rights and $00010000) <> 0) then
s := s + 'delete ';
if ((rights and $00020000) <> 0) then
s := s + 'read_control ';
if ((rights and $00040000) <> 0) then
s := s + 'write_dac ';
if ((rights and $00080000) <> 0) then
s := s + 'write_owner ';
if ((rights and $00100000) <> 0) then
s := s + 'synchronize ';
is anyone able to point me in the right direction please?