如果用户应该能够修改自己的数据副本,我确实会使用漫游数据文件夹,除非文件很大,这不利于漫游:每当启动应用程序时,检查文件是否存在在用户的漫游文件夹中。如果没有,请从程序目录中的通用只读副本为该用户创建初始副本。
OTOH,如果用户需要修改公共副本,则在程序目录中创建一个数据子目录并修改其安全描述符以授予用户组的写入权限。这是一些执行此操作的本机代码。这段代码当然应该从安装程序中执行,因为它需要管理员权限。
编辑:糟糕!我才意识到我从这个前SO question 那里得到了代码。
#include <aclapi.h>
BOOL CreateDirectoryWithUserFullControlACL(LPCTSTR lpPath)
{
// Create directory
if (!CreateDirectory(lpPath,NULL))
return FALSE;
// Open directory object
HANDLE hDir = CreateFile(lpPath,READ_CONTROL|WRITE_DAC,0,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS,NULL);
if (hDir == INVALID_HANDLE_VALUE)
return FALSE;
// Get current security info for the directory
ACL* pOldDACL;
SECURITY_DESCRIPTOR* pSD = NULL;
GetSecurityInfo(hDir, SE_FILE_OBJECT , DACL_SECURITY_INFORMATION,NULL, NULL, &pOldDACL, NULL, (void**)&pSD);
// Create SID for Users
PSID pSid = NULL;
SID_IDENTIFIER_AUTHORITY authNt = SECURITY_NT_AUTHORITY;
AllocateAndInitializeSid(&authNt,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_USERS,0,0,0,0,0,0,&pSid);
// Create Full Access descriptor for Users
EXPLICIT_ACCESS ea={0};
ea.grfAccessMode = GRANT_ACCESS;
ea.grfAccessPermissions = GENERIC_ALL;
ea.grfInheritance = CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE;
ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.ptstrName = (LPTSTR)pSid;
// Add Users' full access descriptor to the current permissions list of the directory
ACL* pNewDACL = 0;
DWORD err = SetEntriesInAcl(1,&ea,pOldDACL,&pNewDACL);
if (pNewDACL!=NULL)
SetSecurityInfo(hDir,SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,NULL, NULL, pNewDACL, NULL);
// Clean up resources
FreeSid(pSid);
LocalFree(pNewDACL);
LocalFree(pSD);
LocalFree(pOldDACL);
CloseHandle(hDir);
return TRUE;
}