Fog Creek Software
Discussion Board




How to let two non-Admin XP users edit CityDesk?



Windows XP has built in file protection which prevents ONE non-Admin user from modifying files created by ANOTHER user ).

You can disable this using CACLS.

But, short of doing that, it looks like you can't have multiple users share, say, a CityDesk file.

Am I missing a simpler solution?

(I did extensive testing in WinXP, but I'm surprised other developers haven't run into this problem. So... I thought there was a simple solution I was missing.

Mr. Analogy
Wednesday, March 31, 2004

Give both users write permission on the file and the directory where it's stored.

Joel Spolsky
Fog Creek Software
Wednesday, March 31, 2004

My understanding is that this would require the ADMINISTRATOR to get involved and do this manually.

I was hoping for something easier (for the customer).

My current plan is to use the CACLS command for *my* programs' installs.

But (I think) you've answered my main question, which is: is there some easy, obvious solution I've missed which would do this automatically for the user. (Answer being "no")

Thanks!

Mr. Analogy
Wednesday, March 31, 2004

Could you have the customers save the CityDesk file in the Shared Documents folder on XP (or whatever it is called)?

Chris F
Wednesday, March 31, 2004

As far as I know the owner of a file can give permissions on the file to other people. You shouldn't need an administrator. The first person who created the file is the owner and they can grant permissions to other people. This is not really any different than any other file sharing scenario in Windows (has nothing to do with CityDesk).

Joel Spolsky
Fog Creek Software
Wednesday, March 31, 2004

"Could you ...  save the CityDesk file in the Shared Documents folder on XP ? "


No.  "By default, Windows XP uses File Permissions only in the Documents and Settings folder, to keep each user's documents private from other users"
from:
http://www.practicallynetworked.com/sharing/xp_filesharing/07ntfs-permisions.htm

  I.e., NonAdminUser1 can't SEE or modify files of NonAdminUser2.  An ADMIN user can see everyone's files.

I missed this problem entirely because I'm ALWAYS admin on our computers.  But it's becoming more common for users to be non-admin.

What's odd is that these settings should NOT apply to other directories (like c:\myapp) but the are, on two different fresh WindowsXP installs I've tested on. (Gotta love the ease of testing with virtual pc)

Mr. Analogy
Wednesday, March 31, 2004

When your app creates files and folders, it should set their permissions such that "everyone" can see them, use them, modify them. You don't need to get the admin involved at all.

entell
Wednesday, March 31, 2004

"...set their permissions ..."

I have found only one way to do that programatically (i.e., without asking the user to do it) : using the CACLS command.


IS there any other way to do this?

Mr. Analogy
Wednesday, March 31, 2004

What Chris F was getting at is that there is a system-created folder called "Shared Documents" that specifically exists for this purpose.  A user only needs to place a document within that folder to make it accessible to all users on that system. 

SomeBody
Wednesday, March 31, 2004

He is incorrect, as I pointed out above.

"If you put a file into the shared data directory, it will NOT be viewable by other users. "

I've tried it.

If you NonAdminUser1 creates a file in C:\documents and settings\all users\application data

AND then  NonAdminUser2 tries to edit it, she can not edit it.  (AT least on the three XP systems I tried it on, two of which are virgin Windows XP installs with the default settings)

In fact, NonAdminUser2 can not even SEE the document.

If you've tried this and gotten it to work, please let me know how you did it.

Mr. Analogy
Wednesday, March 31, 2004


Opps... I meant to say, above, that I tried writing to the My Computer\SHARED DOCUMENTS folder, and it failed.

Added file to that folder from NonAdmin1 then tried to edit it from NonAdmin2.  WindowsXP would not let me save my changes.

I'd love to be wrong here. Please tell me I'm crazy and that my virgin XP install chose a default "write protect all the folders" and that my customers won't have this problem.

Mr. Analogy
Wednesday, March 31, 2004

Somebody,

The files you put in the Shared Documents are *accessible* but only as READ ONLY (at least in my tests)

Mr. Analogy
Wednesday, March 31, 2004

Looks like you're correct.  With a default install, it looks like Shared Documents is read-only for Users and read/write for Power Users, Administrators, and the owner (makes sense to prevent just anyone from modifying shared files and inserting malicious content).

SomeBody
Wednesday, March 31, 2004

The following articles from MS Knowledge Base might be of interest. They talk about the file permission issues under WinXP

* http://support.microsoft.com/default.aspx?scid=kb;en-us;308418

* http://support.microsoft.com/default.aspx?kbid=307874

* http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419

entell
Thursday, April 01, 2004

And an article on default permissions on Win2000
http://support.microsoft.com/default.aspx?scid=KB;en-us;q244600

Mr. Analogy
Thursday, April 01, 2004

Why on earth would you want a solution for this that bypassed the Administrator/all-his-little-helpers?

If the user does not have administrative access, I would suggest they should not be allowed to change write permissions on shared directories or files either. If they do need to do this, they should have the appropriate security profile to do so. Or the Admin has to get off his ass and do it for them.

DomF
Tuesday, April 06, 2004

"If they do need to do this, they should have the appropriate security profile to do so. Or the Admin has to get off his ass and do it for them.
"


We try to remove any obstacles between the customer wanting the product and paying us.

If we make things complicated for Admin, then
a.  They just MIGHT decide NOT to support it, so we lose a sale.

b.  Admin calls US to ask "what directories do you use? We need to provide access to those directories for this client".


My understanding is that they would either have to run CACLS themselves to provide permission to modify that directory or they'd have to create a custom profile.  Again, we try to make it easy for them to use, and thus pay for, software.

Mr. Analogy
Friday, April 09, 2004

*  Recent Topics

*  Fog Creek Home