I've tried searching this for days and can't seem to find an adequate answer so I'll ask here.
I'm building an asp.net Membership website.
What I want to do is:
Allow a user to create an account - say UserA
I then want to allow UserA to create "sub accounts" tied into his account, but with different roles as well as different login names (I'll be using email address as the login name)
UserA would be the account admin of sorts.
UserA's sub accounts would be less "adminish" than UserA, but any data that they write to my DB (Entity Framework) would still be tied to the main UserA account which will be referenced to my tables via Membership.GetUser() API calls.
So 2 questions:
1) How would I reference the Membership tables in my EntityDataModel using DB First (I already ran the aspnet_regsql.exe)
2) How would I need to go about allowing UserA to create his own sub users?
Here's an image of my custom tables:
[MasterAccountUser]
MasterAccountId = aspnet_Membership.UserId
AccountNumber = autoincrement number
[UserAccount] - subaccount of [MasterUserAccount]
AccountId = aspnet_Membership.UserId (if I have to have each user create their own)
MasterAccountId = aspnet_Membership.UserId (but the same one as the [MasterAccountUser]
If this is too vague, let me know and I can expand.
I was able to get this to work.
Basically, you just do the standard aspnetdb.mdf with all the in-place security features.
Then you simply add a table with the same fields, and then you reference the
MembershipUser.GetUser(Page.User.Identity.Name);
So you own table will have a "masteruser" with this User.ProviderKey. Every "sub-user" then has the SAME masteruser guid on their record so that they all fall under the same account.
If anyone want more details on how i got this to work, i can happily provide them.
Related
I'm working on a project where I have to handle unregistered user - users that have been added to the group but still they do not have registered in the app.
What I'm doing now is to create a new child in my 'user' db, putting all the info that i know about this unregistered user.
Of course, it also has an id.
This id will be used to represent that user and so it will be used in a lot of places of the db.
The problem comes when this user tries to register itself. Since when creating a new user it's not possible to force the 'id' that he already had, Firebase will create a new id for him.
Then, in the db I need to change all the references of the 'old id' with the new one.
Is there any better way to do it ?
1) You can use another "fake" table to remap the IDs, that is, instead of changing the old id and its references you can add new instance to your "fake" table when user registered. And when needed using simple service you can find the corresponding id.
2) Secondly, you can do authentication yourself, what I mean is that, you can develop your own registration service and define the id yourself in registration. If system is already big and hard to change. First option would be suitable but will have some cost in terms of time.
I've built a number sites using classic ASP type security and have continued using the same methods in ASP.NET. However, I now am looking for recommendations for a better or best practice way of doing it. I've read a few resource online but have not seen anything comprehensive enough that's applicable to what I'm trying to do. What I'm trying to do is apply user specific security that determines that user's access to specific pages, sections on that page, and fields in each section. It also needs to restrict access to various records as well and determine whether it's read or write privileges.
For those interested, here's how I've done it so far:
Because I lacked the know-how, here's how I did it using the old ASP classic way...
First, on the database side I have 4 relevant tables: tblUsers, tblRoles, tblPages, tblRecords (haven't gotten to sections and fields yet). Each user can belong to a "role" and the role then determines what pages they can access as well as what records they can access in various tables (there are a number of other tables in the db as well e.g. tblCustomers, tblSales, etc...). Each table includes these fields:
tblUsers: UserID, UserName, UserPwd
tblRoles: RoleID, RoleName, UserID
tblPages: PageID, PageName, RoleID
tblRecords: RecordID, RecordTable, RoleID
Now on the application side here's what I've done:
First, my login page is based on 1) looking up the user name and password in the tblUsers table and 2) if found, setting a session variable named "UserLoggedIn" = true. Then on every page load event I check if the UserLoggedIn session is set to true, if so, continue... if not clear all session variables (log out) and send the user back to the login page. The old classic ASP way of doing it.
Second, with the login set up, to control page access, when the user is logged in I created another session variable that holds a pipe delimited string of all the pages that user can access (e.g. Session("PageAccess") = "{1|3|10|8}"). Then in each page's load event I've explicitly added a variable/constant that uniquely identifies that page (e.g. pageone.aspx has Dim PageID As String = 1). Then I check to see if the PageID matches an ID stored in the PageAccess session. If it does, continue... If it doesn't I send them to the home page.
Third/Last, for the records access, I did the same thing. When the user is logged in I created a session variable that hold a pipe delimited string of all the records the user could access along with the table it's related to (e.g. Session("RecordAccess") = "{tblCustomrs||1|5|7}" and checked it and applied it basically the same way as the page session variable.
My Solution is :(it worked for my projects)
tables : tblUser , tblRole ,
tblUserInRole : userid,roleid,username,password (this design help you can assign more than one role to a user)
tblrole, tbrules(your Access Controls for example pages)
tblRulesInRole : roleid , ruleid,Editable,Viewable,printable,Deletable
For Implement Access Control in every request and response ,you should Create HttpModule......
When regsitering in my site (ASP.Net MVC application), the users get inserted into the aspnet_users table. Since its a shopping site, I would want the users to have a customer id and all their details provided by them at registration in this Customer table as well. How do I link these 2 tables? Is it recommended to use the aspnet_user's UserId(Guid) in the application for other business processes.
Also, I would like to know when should a new record be inserted into the customers table.
I mean, when should a new customer be created. I guess its not good to create a record as ans when users are registered? Here, I want to know whats the norm? I felt it would be better to add it when a user adds an item to the shopping cart. Pls guide me.
Thanks in advance.
Add the UserId field into your customer table and then make a foreign key relationship back to the UserId in the aspnet_users table if you want to enforce relational integrity.
I'm not sure what you mean about when to insert the customer record. As long as you insert it after you have created the user (so that you have the user ID), you should be fine. It can happen in the same postback.
I'm not sure how you are saving the user. As in are you using one of the built-in ASP.Net controls or making the call manually?
If you are using the Membership provider as it sounds like you are, you can save the member using:
var user = Membership.CreateUser;
Guid userKey = user.ProviderUserKey;
//Populate your customer object.
//now use whatever EF/ADO/etc... to save your customer record.
Question No 1
I am familiar with role management, a particular member in a particular role can do this and access this functionally. What I need to do is Manage individual user, not the role he is in.
For example, lets say I create a role, called "Sales". I setup the role permission what the sales persons can do. Now i want to keep a check on individual user. For example if this is "john", i want to show him the records only he created. If his is peter, I want to show him only that records which he created, not by john or other sales people.
Is there a thing called "User Management" in ASP.NET that we can use? If not we have to create it ourselves and I believe the integration with ASP.NET "Role Management" will not be that smooth.
Question No 2.
I am using control for user login. I want to create a session at this time so I can keep track of which user is signed in so I can show him the records only pertaining to him. How can I do that?
Your Q1 isn't really about Role vs User management (ie: authorizations) at this point. It's about audit tracking within your application.
And the way you do that is you capture the ID of the user who created the record in question with the record, so that later you can filter on that ID.
Pseudo database structure
Table Sales
Field...
Field...
Field...
CreatedByUser int not null, -- Populate this on creation and never change it again
ModifiedByUser int not null - populate this on every row update including insert
See ASP.NET Profile Properties.
Assuming the records in the database correspond to a unique ID for a user, you can store the unique id in a profile property per user.
1) If you want to filter records by the creating user, you need to record in your table the ID of the user who created the record. You can access the name of current user through User.Identity.Name and their ID (provider-dependent) through User.ProviderUserKey.
2) Sessions are created automatically in ASP.NET and provided you have a properly configured MembershipProvider, you can retrieve all the needed user info using the User object as shown above.
It sounds like you are a little unfamiliar with ASP.NET Membership and Roles capabilities, because they are actually set up quite well to accomplish what you are describing. I would recommend checking out this tutorial series:
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
You are talking about Authentication and Authorization. For question 1 you and implement a custom authorization provider to allow for user level control http://msdn.microsoft.com/en-us/library/aa479048.aspx For question 2, once you log in and are Authenticated, the session contains a userprinciple object that has the info in it automatically.
We have got two distinct lists of users that we need to power logged in access to sections of our site.
These lists can't be combined, as one is synced daily to an externally hosted data source, and both tables have to be 100% the same.
We have set up two Membership providers onto the site, but my question is, is it possible to allow both to be logged in at the same time?
The issue I find is that HttpContext.Current.User.identity.name contains the username of the last successful logon.
Use some sort of delimiter and put both users into the the login Identity. e.g. mp3duck/employee1
When you login in via membership provider 1, you would do something like
// extract the existing prov2ID so you can keep it. GetID() would be a string split function
string prov2ID = GetID(User.Identity.Name, 2);
FormsAuthentication.SetAuthCookie(prov1ID + "/" + prov2ID, false);
And visa versa for a login via membership provider 2.
If you are using the <asp:login> control, you would modify the UserName propery instead of calling SetAuthCookie() since the login control calls SetAuthCookie() itself.
You can put any sort of stuff into the Identity name. I often use it to store both a number int ID for the user primary key, and their username. The only downside is you have to clean it up when displaying it in the html. e.g. Hello <% User.Identity.Name %> would display a lot more than you wanted.
would the suggestion outlined here be of any help?
Can SiteB Restrict Access Only to Users Authenticated on Site A? How?