Fix GetFileAccessFromRights bitwise logic for compound FileSystemRights flags (#122406)

Copilot · stephentoub · web-flow · commit f71826b2bb14 · 2026-01-13T10:35:20.000-08:00
Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: stephentoub &lt;2642209+stephentoub@users.noreply.github.com&gt;
Co-authored-by: Stephen Toub &lt;stoub@microsoft.com&gt;
diff --git a/src/libraries/System.IO.FileSystem.AccessControl/src/System/IO/FileSystemAclExtensions.cs b/src/libraries/System.IO.FileSystem.AccessControl/src/System/IO/FileSystemAclExtensions.cs
@@ -218,8 +218,8 @@ private static FileAccess GetFileAccessFromRights(FileSystemRights rights)
         {
             FileAccess access = 0;
 
-            if ((rights & FileSystemRights.FullControl) != 0 ||
-                (rights & FileSystemRights.Modify) != 0)
+            if ((rights & FileSystemRights.FullControl) == FileSystemRights.FullControl ||
+                (rights & FileSystemRights.Modify) == FileSystemRights.Modify)
             {
                 return FileAccess.ReadWrite;
             }
diff --git a/src/libraries/System.IO.FileSystem.AccessControl/tests/FileSystemAclExtensionsTests.cs b/src/libraries/System.IO.FileSystem.AccessControl/tests/FileSystemAclExtensionsTests.cs
@@ -507,6 +507,42 @@ public void FileInfo_Create_FileSecurity_DenyAccessRule(FileSystemRights rightsT
             VerifyAccessSecurity(expectedSecurity, actualSecurity);
         }
 
+        [Fact]
+        public void FileInfo_Create_ReadRights_CanWriteIsFalse()
+        {
+            // Regression test: When opening a file with FileSystemRights.Read, the FileStream should have CanWrite = false
+            using var tempRootDir = new TempAclDirectory();
+            string path = tempRootDir.GenerateSubItemPath();
+            var fileInfo = new FileInfo(path);
+
+            // First create the file
+            using (FileStream createStream = fileInfo.Create(
+                FileMode.CreateNew,
+                FileSystemRights.Write,
+                FileShare.ReadWrite | FileShare.Delete,
+                DefaultBufferSize,
+                FileOptions.None,
+                null))
+            {
+                Assert.True(fileInfo.Exists);
+                tempRootDir.CreatedSubfiles.Add(fileInfo);
+            }
+
+            // Now open it with read-only rights
+            using (FileStream readStream = fileInfo.Create(
+                FileMode.Open,
+                FileSystemRights.Read,
+                FileShare.ReadWrite | FileShare.Delete,
+                DefaultBufferSize,
+                FileOptions.None,
+                null))
+            {
+                // The stream should be read-only
+                Assert.False(readStream.CanWrite, "FileStream opened with FileSystemRights.Read should have CanWrite = false");
+                Assert.True(readStream.CanRead, "FileStream opened with FileSystemRights.Read should have CanRead = true");
+            }
+        }
+
         #endregion
 
         #region DirectorySecurity CreateDirectory

Original file line number	Diff line number	Diff line change
`@@ -218,8 +218,8 @@ private static FileAccess GetFileAccessFromRights(FileSystemRights rights)`
`218`	`218`	`{`
`219`	`219`	`FileAccess access = 0;`
`220`	`220`
`221`		`- if ((rights & FileSystemRights.FullControl) != 0 \|\|`
`222`		`- (rights & FileSystemRights.Modify) != 0)`
	`221`	`+ if ((rights & FileSystemRights.FullControl) == FileSystemRights.FullControl \|\|`
	`222`	`+ (rights & FileSystemRights.Modify) == FileSystemRights.Modify)`
`223`	`223`	`{`
`224`	`224`	`return FileAccess.ReadWrite;`
`225`	`225`	`}`