So firstly I have no code to show as I'm trying to get my head around how to do this first.
So I have a website that has 3 account pages (Patient, Doctor, Admin) that have 3 different pages for these. There is 3 tables named Patient, Doctor and Admin with account/log in and registered details in them. There is also a field in each of these tables called Role and for Patient table I have the word Patient in the field for each record and the same for Doctor and Admin.
In my login page I need to grab these to determine their login. So if patient is logged in then in the masterpage the patient accountlink will turn visible and so on.
How do i grab all 3 of these roles and determine an if, store in session, and use the session in the masterpage to show whichever link.
Sorry if this is confusing.
What you need to do is have one main table where all the login details go. In this table, have a column called Role and when a new account is made, make it also input into the table, the role of the person.
If you need the other tables for other things, then use an if else statement to also make the information be input into the table that matches its role. (so that means, info input into two tables). This makes it a lot easier.
Then, on the page where the user is redirected after they log in, this is where you write the code to check for the user's role.
sql = "SELECT Role From tablename WHERE username = '"& textbox.text &"'"
Search the main table using the username of the user to find the role and then use an if statement to make the specific links show.
If sql = Patient then
<code here>
Else if sql = Admin then
<code here>
Else if sql = Doctor then
<code here>
End if
Related
I've built a number sites using classic ASP type security and have continued using the same methods in ASP.NET. However, I now am looking for recommendations for a better or best practice way of doing it. I've read a few resource online but have not seen anything comprehensive enough that's applicable to what I'm trying to do. What I'm trying to do is apply user specific security that determines that user's access to specific pages, sections on that page, and fields in each section. It also needs to restrict access to various records as well and determine whether it's read or write privileges.
For those interested, here's how I've done it so far:
Because I lacked the know-how, here's how I did it using the old ASP classic way...
First, on the database side I have 4 relevant tables: tblUsers, tblRoles, tblPages, tblRecords (haven't gotten to sections and fields yet). Each user can belong to a "role" and the role then determines what pages they can access as well as what records they can access in various tables (there are a number of other tables in the db as well e.g. tblCustomers, tblSales, etc...). Each table includes these fields:
tblUsers: UserID, UserName, UserPwd
tblRoles: RoleID, RoleName, UserID
tblPages: PageID, PageName, RoleID
tblRecords: RecordID, RecordTable, RoleID
Now on the application side here's what I've done:
First, my login page is based on 1) looking up the user name and password in the tblUsers table and 2) if found, setting a session variable named "UserLoggedIn" = true. Then on every page load event I check if the UserLoggedIn session is set to true, if so, continue... if not clear all session variables (log out) and send the user back to the login page. The old classic ASP way of doing it.
Second, with the login set up, to control page access, when the user is logged in I created another session variable that holds a pipe delimited string of all the pages that user can access (e.g. Session("PageAccess") = "{1|3|10|8}"). Then in each page's load event I've explicitly added a variable/constant that uniquely identifies that page (e.g. pageone.aspx has Dim PageID As String = 1). Then I check to see if the PageID matches an ID stored in the PageAccess session. If it does, continue... If it doesn't I send them to the home page.
Third/Last, for the records access, I did the same thing. When the user is logged in I created a session variable that hold a pipe delimited string of all the records the user could access along with the table it's related to (e.g. Session("RecordAccess") = "{tblCustomrs||1|5|7}" and checked it and applied it basically the same way as the page session variable.
My Solution is :(it worked for my projects)
tables : tblUser , tblRole ,
tblUserInRole : userid,roleid,username,password (this design help you can assign more than one role to a user)
tblrole, tbrules(your Access Controls for example pages)
tblRulesInRole : roleid , ruleid,Editable,Viewable,printable,Deletable
For Implement Access Control in every request and response ,you should Create HttpModule......
I'm working on using the membership functionality of the ASP .Net sites. There are multiple ways to create users and one way is to create users and add a user profile to the system. The other is to use an enhanced wizard then add the user and then their profile information. Well, if you go route 1, then the user does not get a record inserted into the user profile table and then when the user goes to update their profile, then on the page load I would like the page to look for their record. If one does not exist, insert a blank one. Does anyone have a sample script to look up a user's profile based on their unique id in SQL CE? If the record does not exist (record count = 0) then insert a new blank record.
When regsitering in my site (ASP.Net MVC application), the users get inserted into the aspnet_users table. Since its a shopping site, I would want the users to have a customer id and all their details provided by them at registration in this Customer table as well. How do I link these 2 tables? Is it recommended to use the aspnet_user's UserId(Guid) in the application for other business processes.
Also, I would like to know when should a new record be inserted into the customers table.
I mean, when should a new customer be created. I guess its not good to create a record as ans when users are registered? Here, I want to know whats the norm? I felt it would be better to add it when a user adds an item to the shopping cart. Pls guide me.
Thanks in advance.
Add the UserId field into your customer table and then make a foreign key relationship back to the UserId in the aspnet_users table if you want to enforce relational integrity.
I'm not sure what you mean about when to insert the customer record. As long as you insert it after you have created the user (so that you have the user ID), you should be fine. It can happen in the same postback.
I'm not sure how you are saving the user. As in are you using one of the built-in ASP.Net controls or making the call manually?
If you are using the Membership provider as it sounds like you are, you can save the member using:
var user = Membership.CreateUser;
Guid userKey = user.ProviderUserKey;
//Populate your customer object.
//now use whatever EF/ADO/etc... to save your customer record.
Question No 1
I am familiar with role management, a particular member in a particular role can do this and access this functionally. What I need to do is Manage individual user, not the role he is in.
For example, lets say I create a role, called "Sales". I setup the role permission what the sales persons can do. Now i want to keep a check on individual user. For example if this is "john", i want to show him the records only he created. If his is peter, I want to show him only that records which he created, not by john or other sales people.
Is there a thing called "User Management" in ASP.NET that we can use? If not we have to create it ourselves and I believe the integration with ASP.NET "Role Management" will not be that smooth.
Question No 2.
I am using control for user login. I want to create a session at this time so I can keep track of which user is signed in so I can show him the records only pertaining to him. How can I do that?
Your Q1 isn't really about Role vs User management (ie: authorizations) at this point. It's about audit tracking within your application.
And the way you do that is you capture the ID of the user who created the record in question with the record, so that later you can filter on that ID.
Pseudo database structure
Table Sales
Field...
Field...
Field...
CreatedByUser int not null, -- Populate this on creation and never change it again
ModifiedByUser int not null - populate this on every row update including insert
See ASP.NET Profile Properties.
Assuming the records in the database correspond to a unique ID for a user, you can store the unique id in a profile property per user.
1) If you want to filter records by the creating user, you need to record in your table the ID of the user who created the record. You can access the name of current user through User.Identity.Name and their ID (provider-dependent) through User.ProviderUserKey.
2) Sessions are created automatically in ASP.NET and provided you have a properly configured MembershipProvider, you can retrieve all the needed user info using the User object as shown above.
It sounds like you are a little unfamiliar with ASP.NET Membership and Roles capabilities, because they are actually set up quite well to accomplish what you are describing. I would recommend checking out this tutorial series:
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
You are talking about Authentication and Authorization. For question 1 you and implement a custom authorization provider to allow for user level control http://msdn.microsoft.com/en-us/library/aa479048.aspx For question 2, once you log in and are Authenticated, the session contains a userprinciple object that has the info in it automatically.
i am creating site like say LinkedIn/spoke
like when i login ,i give my login id and password so database
checks it and allow me to access my profile
i need to know that in stackoverflow when we click to users
button all the users in stackoverflow are shown
but when i click to specific user
how does the database known that this specific user is clicked
and show's his/her profile data ?
should i create new page for viewing others user profile ?
and if i do so what will be the query for that
If you have 2 seperate queries then it makes easier (I'm not saying this is the best solution). So, you could have a 'select all users' query which could be something as simple as :
SELECT *
FROM MyUsers
This will return all of your users to your website, so you can view them. Then, when you select a user from your website, you call a different query, say 'select a single user', and pass a parameter from your website. The query could look something like :
SELECT *
FROM MyUsers
WHERE UserID = #UserID
This could be done in one stored procedure and test if your #UserID is NULL then run the required SELECT statement.