User and File Access Constants

The following values are used for user access permissions, assigned to the client session. These permissions can be changed by the server application using either the Authenticate method or setting the ClientAccess property. These permissions are also assigned to virtual users using the AddUser method.

Value	Constant	Description
1	httpAccessRead	The client can download files and retrieve other resources using the GET command. This permission also allows the client to obtain information about a specific resource using the HEAD command. The resource that the client is attempting to retrieve must also have read permission, otherwise the command will fail.
2	httpAccessWrite	The client can modify existing files or create new files using the PUT command. The directory where the client is attempting to create or modify the file must also have write permission, otherwise the command will fail. This permission is not granted by default to clients if the server is started in restricted mode. This permission is ignored if the server is started in read-only mode.
4	httpAccessExecute	The client can execute scripts and CGI programs. If this permission is not granted to the client, it will be unable to use the GET, HEAD or POST commands if the resource is a program or script registered with the server. This permission is not granted by default to clients if the server is started in restricted mode.
8	httpAccessList	If the client issues a GET command and the resource specifies a directory, this permission allows the server to return a list of files to client if a default index file cannot be found. If this permission is not granted to the client, the directory must contain a default index file, otherwise the server will return an error. This permission is ignored if the server is started in restricted mode.
&H100000	httpAccessRestricted	The client is restricted to accessing documents using the GET and HEAD commands, and those documents must be located in the root directory for the virtual host or in a subdirectory. The client cannot execute scripts, submit data to the server using the POST command or upload files using the PUT command.
&H800000	httpAccessDefault	This value specifies that the default permissions should be granted to the client session. If the server is in restricted mode, the client will only be able to use the GET and HEAD commands to retrieve documents. If the server is not in restricted mode, the client can use all valid HTTP commands. This is the recommended access permissions for most clients.

The following values are used for file access permissions, assigned to files and directories using the AddPath function.

Value	Constant	Description
1	httpAccessRead	If the virtual path specifies a file, the client can use the GET command to retrieve the contents of the file and the HEAD command will return information about the file. If the virtual path specifies a directory, the client can use the GET command to retrieve the index file for that directory. If the file or directory does not have this permission, the server will return an error to the client.
2	httpAccessWrite	If the virtual path specifies a file, the client can modify the contents of the file using the PUT command. If the path specifies a directory, the client can use the PUT command to create a new file or replace an existing file in the directory.
4	httpAccessExecute	If the virtual path specifies a script, the client can execute the script using either the GET or POST commands. If the path specifies a directory, then all scripts in that directory can be executed.
8	httpAccessList	If the virtual path specifies a directory, and there is no default index file present, the server will return a list of files in that directory to the client. If this permission is not specified, the server will return an error if the directory does not have a default index file. It is recommended that you do not specify this permission when assigning the httpAccessExecute permission to a directory.
&H100000	httpAccessRestricted	Access to the file or directory should be restricted to using the GET command to retrieve documents. This is effectively the same as only specifying httpAccessRead as the file access permissions. If this permission is combined with any permission other than httpAccessRead, those permissions will be ignored.
&H200000	httpAccessProtected	Access to the file or directory is protected by a username and password. Clients should only be permitted to access the resource if they provide valid user credentials to the server. If this permission is assigned to a virtual path, the default command handlers will require the client to authenticate itself to permit access to the resource. The server application is responsible for authenticating the session.
&H800000	httpAccessDefault	This value specifies that the default access permissions should be granted to the file or directory. If the virtual path specifies a file, the client can use the GET command to return the contents. If the path specifies a directory, the client can use the GET command to return the index file or a list of files in the directory. If the server is in restricted mode, it will return an error if a directory does not have an index page.

Remarks

When a client establishes a connection to the server, it is granted a default set of user access permissions based on the initial configuration of the server. By default, the client is granted all permissions, which means the client may use any valid HTTP command. If the server is started in restricted mode, then the client is only granted permission to read files. This means that restricted mode clients cannot obtain directory listings of files, nor can they create files or execute CGI programs. The user access permissions define the types of HTTP commands that the client is permitted to use. However, server options and individual permissions on specific files and directories can further limit what actions the client can take.

When these permissions are used in the context of file access, they can restrict the actions that any client can take, regardless of the user permissions assigned to the client session. For example, a client session may have the httpAccessWrite permission, which allows the use of the PUT command. However, unless the folder that they are attempting to create the file in also has httpAccessWrite permission, the PUT command will fail.

For security reasons, when the server is started, regular files only have the httpAccessRead permission and directories only have the httpAccessRead and httpAccessList permissions assigned to them. If you wish to allow clients to upload files to your server, or execute scripts stored in a directory, then you must create a virtual path to a physical directory and assign it the appropriate permissions. In both cases, best practices dictate that the physical directory should be located outside of the root directory of the server.

If you assign the httpAccessExecute permission to a virtual directory to allow clients to execute scripts using the GET or POST commands, you should make sure that clients cannot list, create or modify files in that directory. The scripts in that directory must have a registered handler, created using the RegisterHandler method. It is not necessary to create a virtual path to a CGI program registered using the RegisterProgram method because execute permission for that program is granted by default.

If you assign the httpAccessRestricted permission to a session by setting the ClientAccess property, the server will impose significant limitations on the client. This permission provides a high level of security, ensuring that the client cannot access any other documents outside of the server root directory; however, it also prevents the client from executing scripts or submitting data. If the website depends on server-side scripts and the use of CGI programs, assigning this permission may effectively disable use of the site for that client session.

Remarks

See Also