The right use of <identity impersonate="true"/>
In my Website, Users who has logged in are able to change their profile pictures, and this process includes saving the uploaded image to a folder in the website's root directory.
When I tested it, I received an Error that I should grant access to this specific folder using permissions.
I do not have control over the Control Panel, the one who does said that he did grant the Images folder a READ and WRITE permissions to Others.
After Testing it again, once again the same error, so I edited web.config and included:
<identity impersonate="true"/>
And now everything seems to work perfectly. BUT, what did I just do here? Is there any security risk? Did I grant anonymous access to my website for everyone?
Answer
BUT, what did I just do here?
You are now running your website under the identity of the client user.
Is there any security risk?
That would depend on the permissions that this account has on the server. Usually it is bad practice to run a website with accounts that have lots of privileges. Ideally you should configure your website to run under an account that you explicitly grant privileges to the required folders.
The problem with your approach is that if another user that doesn't have access to the specified folder visits your website, it won't work for him. If on the other hand this is expected behavior then you are probably fine by impersonating user identities.
Did I grant anonymous access to my website for everyone?
No, this has nothing to do with authentication.