User Access Constants  
  An authenticated user can be granted permission to perform various actions. Prior to authentication, a client session has extremely limited access to the server and is granted permission to use a restricted subset of commands. When the Authenticate method is called to authenticate the session, one or more of these values may be used to grant or restrict access to specific functionality. In most cases it is recommended that clients are authenticated using the default permissions based on the server configuration and whether the client has requested authentication as a regular user or as an anonymous user.  
 
Value Constant Description
1 ftpAccessRead The client can download files using the RETR command. If this permission is not granted, the server will reject all requests by the client to download files, regardless of the actual file access rights.
2 ftpAccessWrite The client can upload files using the STOR and STOU commands. If this permission is not granted, the server will reject all requests by the client to upload files. By default, anonymous clients are not granted this permission. If the server is started in restricted mode, this option must be explicitly specified to allow a client to upload files.
4 ftpAccessAppend The client can append to files using the APPE command. If this permission is granted, it will automatically grant the ftpAccessWrite permission as well. If this permission is not granted, the server will reject all requests by the client to append data to a file. By default, anonymous clients are not granted this permission. If the server is started in restricted mode, this option must be explicitly specified to allow a client to upload files.
8 ftpAccessList The client can request a list of files in a directory using the LIST, NLST or MLSD commands. This permission is also required for the client to be able to obtain information about a specific file using the STAT, MDTM, MLST or SIZE commands. If this permission is not granted, the server will reject all requests for a file list.
&H10 ftpAccessModify The client can modify the attributes or modification times for a file using the MFMT, SITE ATTRIB, SITE CHMOD and SITE UTIME commands. If this permission is not granted, the server will reject all requests to modify the attributes of a file. By default, anonymous clients are not granted this permission.
&H20 ftpAccessRename The client can rename or move a file using the RNFR and RNTO commands. If this permission is not granted, the server will reject all requests to rename a file, even if the file name is valid and the server process has the appropriate access rights. By default, anonymous clients are not granted this permission.
&H40 ftpAccessDelete
The client can delete a file using the DELE command. If this permission is not granted, the server will reject all requests to delete a file, even if the file name is valid and the server process has the appropriate access rights. By default, anonymous clients are not granted this permission.
&H80 ftpAccessChdir
The client can change its current working directory using the CWD or CDUP commands. If this permission is not granted, the client is effectively locked to its home directory, although it can still specify a path when sending file or directory commands. If the server was started in restricted mode, the client will be unable to move outside of its home directory or subdirectories, regardless of whether this permission has been specified or not.
&H100 ftpAccessMkdir The client can create a directory using the MKD command. If this permission is not granted, the server will reject all requests to create a directory, even if the name is valid and the server process has the appropriate access rights. By default, anonymous clients are not granted this permission.
&H200 ftpAccessRmdir The client can remove a directory using the RMD command. If this permission is not granted, the server will reject all requests to remove a directory, even if the directory is empty and the server process has the appropriate access rights. By default, anonymous clients are not granted this permission.
&H400 ftpAccessIdle The client can change the idle timeout period from the value that was specified in the server configuration. This controls the amount of time that the client can remain idle until the server terminates the session. The minimum idle timeout period is 60 seconds and the maximum is 7200 seconds (2 hours). By default, anonymous clients are not granted this permission.
&H800 ftpAccessExecute The client can execute commands on the server using the SITE EXEC command. This command executes a console application and redirects the standard output to the control channel of the client session. Because this can introduce potential security threats to the server, this permission is never granted by default and its should only be granted to specific users who require this functionality.
&H100000 ftpAccessRestricted The client is restricted to accessing files in its home directory and any subdirectories of the home directory. The client home directory is considered to be the root directory for the client session, with all file and directory paths being considered relative to the home directory. If this permission is specified alone without being combined with any other permissions, it will also grant the ftpAccessRead, ftpAccessList and ftpAccessChdir permissions to the client session.
&H200000 ftpAccessAnonymous The client should be considered an anonymous user and is subject to the restrictions imposed on all anonymous client sessions. If the server was started in multiuser mode, the client will be restricted to the public directory and any subdirectories. If this permission is specified alone without being combined with any other permissions, it will also grant the ftpAccessRead, ftpAccessList and ftpAccessChdir permissions to the client session.
&H800000 ftpAccessDefault A set of default permissions for the user based on the initial configuration of the server. Normally all permissions are granted except for ftpAccessExecute. If the Restricted property was set to True when the server was started, the default permissions will limit the client to downloading files and directory listings.

Remarks

The permission ftpAccessNone will grant no access rights to the client. It is not recommended that you use this value, particularly if your server is going to be publicly accessible using third-party applications. Assigning ftpAccessNone to a user can cause third-party applications to fail in unexpected ways if they login as that user. Most client software expects authenticated users to be able to obtain information about files in their current working directory. To prevent clients from accessing files outside of their home directory and limiting the actions they can take, set the Restricted property to True and use ftpAccessDefault as the permission granted to users.

The permission ftpAccessAll will grant all access rights to a client, including the the permission to execute registered programs using the SITE EXEC command. Any external programs that you have registered for use should be thoroughly reviewed to ensure that they do not present a security risk to the server. Note that the ftpAccessAll permission will never permit a client to execute an arbitrary executable on the server. The only external programs that can be executed using SITE EXEC are those that are explicitly registered using the RegisterProgram method.

See Also

ClientAccess Property, Restricted Property, Authenticate Method, OnAuthenticate Event