I am new to ASP.NET and have been asked to do the following. I have tried looking at a large number of Stack overflow articles in this topic but wasn't quite able to find a specific answer to my situation.
The scenario is the following: the web application is internal to the company. Within the application, there are many pages that should have varying levels of access based on AD groups. So for example, for one page, if a user is in any of the AD groups A, B, C or D, they will have access. Another page may provide access to a user who belongs to any of AD groups E, F, or G.
Not sure if I read the other Stack Overflow articles incorrectly, but it seemed like they answered the question of providing access to a user who is part of a particular group (single group). For a given web page, I want to provide access to the user if they are part of any of the groups that I specify as permitted to visit that page.
Furthermore, is there an easy way to store the AD group names that I want to have access to each page in a file, and authorize against this file without writing much code? This way if I need to change the groups allowed to visit a particular page, I can just change the list of group names in the file.
If you want users to be automatically logged in, then hosting in IIS is by far the easiest way. Instructions on setting that up are here: Configure Windows Authentication in ASP.NET Core
Locking down certain parts of the site by AD group is pretty easy too. You simply use AuthorizeAttribute above either a whole controller, or just an action, and specify the Roles:
[Authorize(Roles = "DOMAIN\\GroupName")]
If you want the group name to be configurable, then you can create a policy for each group that reads the group name from your appsettings.json (or anywhere else, really) and you set the Policy property of the AuthorizeAttribute instead of Roles.
Details on how to set that up are in this answer: https://stackoverflow.com/a/48148149/1202807
Related
I have this project which is school management system, i have created Roles(Teacher,Admin,Staff) now i can assign what role is allowed to be viewed in each page and i want the Teacher Role to be more specific cos i have this page where the teacher can see all the list of subject that she/he teaches.
Now my problem is when the teacher login, i want all the subject of the current teacher who login can see her subjects only, right now with my role as (Teacher) they can see all the list of subject from other teachers too. Any idea on how to solve this? or what are the things i should add or learn to achieve my goal? i heard about MVC identity is it the one responsible for fixing this issue. appreciate if u guys could give me idea on how to deal with this. thanks!
If I did understand your problem correctly.what you are looking for is Resource Based Authorization (Authorization depends upon the resource being accessed). As far as I know, this can not be done with declarative security.
In order to gain such flexibility, you have to call an authorization function inside the action method.
Depending on the result of that authorization function, you can return 403 or the required resource.
Speaking of your requirement, extract the user id inside your action method and filter out other teachers' subjects.
If you are using ASP.Net Identity this link may help you to get started.
I have an existing YAFNET forum at http://www.paydirt.co.nz/forums/ concerned with Gold Fossicking and Metal Detecting. At present these two "Categories" are all grouped together on a single page.
Unfortunately from time to time I get a bit of bickering between the gold fanciers and the swingers so I'd like to separate these out across two distinct pages:
http://www.paydirt.co.nz/forums/gold (could end in .aspx if required)
http://www.paydirt.co.nz/forums/metal-detecting (could end in .aspx if required)
I'd like the users to be shared across both pages without users re-registering (as some users contribute to both areas), but the pages themselves I'd like to be be filtered by category. Each page would only show "Active Discussions" for the category used.
Is it possible to setup 2 distinct pages each with a YAFNET user control on, but using parameters on the user controls which will filter the categories shown on each?
I do see that it's possible to setup multiple "boards", and I could move some categories manually via an update to the database. However, I also notice that the yaf_User table has a BoardID so this would suggest users are tied to a single board.
As a bonus nice-to-have, I'd ideally like the "Discussion" category (which is a general discussions area for anything) to be shared between these two pages. Though I suspect this might be asking a little too much.
Thanks in advance for any ideas or solutions!
YAF.NET always pulls users from the current Membership Provider. The yaf_User table is a sync from the Membership Provider. For example, when an existing membership user visits a new board, YAF.NET will automatically create an new entry in yaf_User for that user and keep them synced.
Multiple controls with different board setting should do what you need. They do require unique "Pages", though.
I'm creating a members only Parent Directory for my son's high school International Baccalaureate website. This directory will contain contact information (names, street addresses, phone numbers, email addresses) of parents from each grade who have students currently enrolled in the IB program. I need to be able to authenticate a parents access to the directory against a valid student ID (which is a number).
I have a spreadsheet that contains the names of each student, their student ID, and their parent's names. There are some instances where a family has more than one student/student ID.
I'm trying to figure how I should be thinking about this, as a general approach. I have a few ideas but I need to distill them down to a more succinct inquiry.
One thought would be to bulk create wp subscriber accounts for all students. Their student IDs would somehow be appended to the user record. Parents would be directed to a login page, where they would login with the username of their child, password(which could be reset), and a fixed student id. If validation passes, they are redirected to the directory page.
Another thought would be to create user accounts on the fly that references a separate table which includes the student ID. So long as that unique student ID is part of the registration and it authenticates, anyone who has that number can register a profile.
In either scenario, once an account is created, the contact profile could either be pre-populated with the users info or updated at that time.
So my question is: Am I thinking about this in the right way? If so or if not, how can I better define this idea to get a more accurate scope? And then, ultimately, I need some direction on some possible options for getting it done in DIY way.
Sorry for the long word count. Your feedback is greatly appreciated. Below are some links that seem to be in the neighborhood of what I'm trying to do.
https://wordpress.stackexchange.com/questions/45900/adding-extra-authentication-field-in-login-page
Integrating wordpress authentication with an existing user database
Basically I have a site in which I want my clients to be owners of a group, and then anonymous users can add nodes through their group and my clients will receive notification if someone adds a node in their group.
Basically the service is a lead generation service so in effect the content type is a landing page and when anonymous users go to put their details in, dependent on which group they do it through, the client will receive the notification.
i.e. My clients group is www.example.com/group1 and they send out a link with their URL to generate some leads.
example.com/group1/node/add/landing-page
Once this node has been created, will it be possible to notify the group1 owner (I assume if I set the correct Rules)?
On top of this, I want the group1 owner to be able to login and see a Views display of all the nodes that have been created in their group.
I assume Organic Groups is the wway to go here, but I may be mistaken - any hep would be appreciated.
Unless this has dramatically changed in D7, I don't think you're going to be able to let anonymous users post into Groups. The whole concept and structure of OG relies on users being logged in and identifiable.
In other words, I think you have to be a member of a Group to post in it, and anonymous (user 0) can never belong to a Group.
I have a tricky requirement where I need to categorise documents attached to a product, available for download, based on the status of the user viewing the product. I.e. my site displays a list of products, clicking on one displays a product details page, and this page includes a list a documents related to the product, such as data sheets, user manuals, etc.
I have been asked to group documents into three classes of availability, v.i.z. those available freely to all users, including anonymous; those available to logged on users; and those available to anonymous users that provide contact information before downloading the document, presumably to boost sales leads.
The anonymous and logged on availabilities are quite easy, but the third seems a bit tricky to me. My first question is, is there a way I can filter documents for only logged on users without hooking into ItemDataBound or something, and my second question is, what is recommended for the case where a user must supply contact information to download a document?
In the second question, it has crossed my mind to actually register the user, but without them having to visit the new user registration page, and then I have role based filtering of documents. Currently the new user registration process automatically adds the Member role to all new users. Users I register 'quietly', just so they can download a document, wont be assigned the Member role, distinguishing them from normally logged on members. What other approaches could I take?
A lot of this implementation will depend on exactly what you want to accomplish and how you go about doing it.
For example, if I don't have access to the document, should I see the link?
If your implementation is that all users should be able to see it, but that the actual act of 'getting it' is dependent upon the individual role or membership, you could solve it fairly easy by implementing a "handler" to download the secured documents, that way you are not presenting a direct file link. That handler could then validate security, if they were not allowed, it could then take them to the login or register page as needed.
If the users don't see the documents until they meet the requirement, I would then filter BEFORE you bind to your repeater.