Set permission for each page user wise in ASP.NET - asp.net

I am working with a very large application in ASP.NET and SQL Server 2012 Express.
Mainly there are few folders as roles like Admin, Manager, Accountant etc.
In those folders there are hundreds of .aspx pages.
I also have a custom user management system with roles like Admin, Manager, Accountant.
I am looking for a permission mechanism with which I will be able to set permission for each page with each user. And I need permission like READ, EDIT, DELETE for each page and each user.
When user logs in, and clicks on page link, if he has permission to see that page, he will get the page otherwise not.
Is there any framework or code or something like that I can utilize?
Or can somebody give me idea on how do I achieve this?

I believe you have a web.config in each folder. In your config file you can set the role based permission like below for each specific folder
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?"/>
</authorization>
</system.web>

Related

How to restrict access a folder in my domain using web.config file aspx page

Hello Im Having a domain
www.xxxx.com/folder/folder/default.aspx
inside the second folder im having lot of sub folders
i want to restrict access for unauthorized user
can any one explain how to do using Web
i want to check the User name[session ] from the Cookies
if session is there need to allow access other wise deney
can any one pls help
<system.web>
<authorization>
<deny users="?"/>
<allow users="xxxx"/>
</authorization>
</system.web>
Now its blocking all users its not allowing for user xxxx
Please help
The best way for doing this is setting the authentication mode to Windows. By doing this the server will use the domain accounts or the local user accounts to allow access. You just have to set the appropriate permissions to these users or to their user groups directly in this folder (by using the security tab in Windows folder properties).

Restrict user from directly typing the from url to access other aspx pages

Hi Guys please need your expertise with regards to my problem...
My scenario is my web app can be access by users active directory I don't have any login...
once the authorized user access my web app I wan't them to be restricted in typing directly to the url by typing a particular aspx page.Is any one knows how to do it?
Regards.
You cannot restrict a user from typing in a url in a browser - that just does not make sense.
You will need to restrict access to your pages using standard ASP.NET roles or authorization, or some other method.
As blorkfish suggested you can use forms authorisation to restrict user from access a page or a folder by redirecting him/her to a default/login page. Here is an Example:
<configuration>
<system.web>
<authorization>
<allow roles="Admin,User"/>
<deny users="*"/>
</authorization>
</system.web>
This a web config file that you can place in a folder containing some web pages. So in this example only users with the role "User" and/or "Admin" will be allowed to open a page within this folder. All the rest will be denied and (if settup in root web.config) redirected to default page.

ASP web.config authorization to new roles added by users

I've been searching around the internet and I can't find an exact solution. Sorry it's a bit long but I'm hoping someone can help me.
I'm working on a web-based system using ASP.Net (4.0). This system allows an administrator to add new roles. Apart from adding new roles, the administrator can also set permissions to a role to access different pages.
For example, by default the User role can only access the Home page and. Say the administrator decides to set a new permission to this role and allows it to access another page (for example: ManageUsers.aspx)
I am using the Forms Authentication via the web.config. The web-pages are in two separate folders, one for each role (Admin and User). In each folder another web.config defines which roles can access the pages in this folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="2"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
The problem is that if the administrator grants access to the User role for a page (for example: ManageUsers.aspx) that is allocated in the Admin folder, the User role is denied access to this page since only an Admin role can access these pages.
The first solution I thought of was changing the web.config on run-time but this will restart the application every time the web.config is changed.
The second solution is listing the pages each role can access from a database table or an XML file. I'm not sure if it will work if I still use the Forms Authentication. Shall I use locations in the web.config files? Or maybe there's another way to solve this? I can't get my head around it.
Thanks in advance for any help!

How to prevent the user from download anything on my website if he is not registered?

I'm making a project on ASP.NET and I want that if the user is not registered with my site or not Login then he/she will not able to download. If I'm using session ID then I've to pass it on every link and page so is there a simple way to accomplish it?
If you're using the ASP.NET stock authentication system, you can just add a tag like this to your <system.web> element in web.config:
<authorization>
<deny users="?" />
</authorization>
StriplingWarriors answer will work for all unauthenticated users but if you are attempting to restrict specific users from doing/viewing specific things on the site (and assuming you are using the ASP.NET membership API to manage users) you can just check User.Identity.IsAuthenticated

Cannot access CSS file from ASP.NET login page

I have just noticed a problem accessing a CSS file using forms authentication from an ASP.NET application.
Until I have logged in, then any styles I have set in my login page are not used, as IIS seems to be preventing the login page from accessing this file.
Is there an easy solution for this?
Place the css file in a publicly accessible folder. This will require a change in your web.config that will look something like this:
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Granted, this shouldn't be how you setup the permissions in the first place. The css folder ought always to be publicly accessible.
My CSS didn't display in the login page as well.
I noticed that Anonymous Access was using the IUSR account not the IIS_IUSRS account so I just added IUSR to the website folder and everything got back to normal.

Resources