C# 判断用户是否对路径拥有访问权限

如何获取当前系统用户对文件/文件夹的操作权限？

1.获取安全信息DirectorySecurity

DirectorySecurity fileAcl = Directory.GetAccessControl(folder);

通过Directory.GetAccessControl获取文件夹的权限/安全信息

详细介绍，可参考MSDN官方文档

对文件/文件夹权限的详细操作，可参考一篇博客C#文件夹权限操作

2. 获取文件夹访问权限列表FileSystemAccessRule

var rules = fileAcl.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).OfType<FileSystemAccessRule>().ToList();

GetAccessRules()方法返回的是AuthorizationRule集合，此处只需要获取文件权限。

FileSystemAccessRule继承自AuthorizationRule，并新增俩个属性

• AccessControlType -- 枚举 Allow/Deny
• FileSystemRights -- 对文件的访问权限详细信息（读/写等），可见下面列表：

   /// <summary>定义要创建访问和审核规则时使用的访问权限。</summary>
   [Flags]
   public enum FileSystemRights
   {
     ReadData = ,
     ListDirectory = ReadData, // 0x00000001
     WriteData = ,
     CreateFiles = WriteData, // 0x00000002
     AppendData = ,
     CreateDirectories = AppendData, // 0x00000004
     ReadExtendedAttributes = ,
     WriteExtendedAttributes = , // 0x00000010
     ExecuteFile = , // 0x00000020
     Traverse = ExecuteFile, // 0x00000020
     DeleteSubdirectoriesAndFiles = , // 0x00000040
     ReadAttributes = , // 0x00000080
     WriteAttributes = , // 0x00000100
     Delete = , // 0x00010000
     ReadPermissions = , // 0x00020000
     ChangePermissions = , // 0x00040000
     TakeOwnership = , // 0x00080000
     Synchronize = , // 0x00100000
     FullControl = Synchronize | TakeOwnership | ChangePermissions | ReadPermissions | Delete | WriteAttributes | ReadAttributes | DeleteSubdirectoriesAndFiles | Traverse | WriteExtendedAttributes | ReadExtendedAttributes | CreateDirectories | CreateFiles | ListDirectory, // 0x001F01FF
     Read = ReadPermissions | ReadAttributes | ReadExtendedAttributes | ListDirectory, // 0x00020089
     ReadAndExecute = Read | Traverse, // 0x000200A9
     Write = WriteAttributes | WriteExtendedAttributes | CreateDirectories | CreateFiles, // 0x00000116
     Modify = Write | ReadAndExecute | Delete, // 0x000301BF
   }

因为AuthorizationRule中，IdentityReference对应权限的用户/用户组标识，格式为："MYDOMAIN\MyAccount"

所以，如通过当前系统用户名与IdentityReference匹配，即可获取FileSystemAccessRule权限。如何获取用户名，见下一段落

3. 获取当前系统用户名/用户组

通过 System.Environment.UserDomainName 和 System.Environment.UserName 取得当前用户名

对当前系统用户名/用户组的其它操作，可参考

• C# 管理 Windows 本地用户组
• C# 获取 Windows 用户组成员

因此，将Path.Combine(Environment.UserDomainName, Environment.UserName)与IdentityReference.Value比较，获取当前用户对文件夹的权限信息

详细实现如下：

     /// <summary>
     /// 检查当前用户是否拥有此文件夹的操作权限
     /// </summary>
     /// <param name="folder"></param>
     /// <returns></returns>
     public static bool HasOperationPermission(string folder)
     {
         var currentUserIdentity = Path.Combine(Environment.UserDomainName, Environment.UserName);

         DirectorySecurity fileAcl = Directory.GetAccessControl(folder);
         var userAccessRules = fileAcl.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).OfType<FileSystemAccessRule>().Where(i=>i.IdentityReference.Value==currentUserIdentity).ToList();

         return userAccessRules.Any(i => i.AccessControlType == AccessControlType.Deny);
     }

获取文件夹是否有删除权限（仅删除空文件夹）：

     /// <summary>
     /// 检查当前用户是否拥有此文件夹的删除操作权限
     /// </summary>
     /// <param name="folder"></param>
     /// <returns></returns>
     public static bool HasDeleteOperationPermission(string folder)
     {
         var currentUserIdentity = Path.Combine(Environment.UserDomainName, Environment.UserName);

         DirectorySecurity fileAcl = Directory.GetAccessControl(folder);
         var userAccessRules = fileAcl.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).OfType<FileSystemAccessRule>().Where(i => i.IdentityReference.Value == currentUserIdentity).ToList();

         if (userAccessRules.Count > 0 &&
             userAccessRules.Any(i => (i.FileSystemRights & FileSystemRights.Delete) != 0 && i.AccessControlType == AccessControlType.Allow))
         {

             return true;
         }
         return false;
     }