I'm new to asp.net and trying to figure out how to go about displaying different capabilities to individual users based on what is allowed to them by checking the database.
A good example I think would be like a forum where the admin an turn on and off different capabilities the user can perform. ex. Editing old post, viewing old post, printing posts.
In my database I would have users matched with roles and capabilities.
What would be the best way to "generate" pages customized to each user, where they can see the option to "edit a post" if they had that capability, and not see it if they didn't.
You can use .NET Membership:
ASP.NET membership gives you a built-in way to validate and store user credentials. ASP.NET membership therefore helps you manage user authentication in your Web sites. You can use ASP.NET membership with ASP.NET forms authentication by using with the ASP.NET login controls to create a complete system for authenticating users.
http://msdn.microsoft.com/en-GB/library/yh26yfzy(v=vs.100).aspx
You can then show/hide buttons such as "edit a post" by checking if the current user is in the correct role:
http://msdn.microsoft.com/en-us/library/4z6b5d42.aspx
e.g.
ButtonEditPost.Visible = Roles.IsUserInRole("Admin");
Related
I am failing to find good examples of user and activity based authorization for my ASP.NET web forms site. Currently, i am using user roles in web config to allow/deny access to pages within folders. But this method is proving to be a nightmare to maintain, especially when users come up with special case scenarios, which completely deviate from existing role permissions.
So i am looking for a way to be able to store and retrieve user access rights, from the database and then enforce them on my web site dynamically.
My Second problem is how to show/hide certain site master html from certain users. I was also thinking to store this information in the database, so that these rights are dynamically allocated also.
Currently, i am hard coding in my site master code behind the hide/show permissions by saying:
If(isInRole("Admin"){
// Show Everything
}
else
{
// hide certain html
}
So this approach works currently, but is problematic to maintain and not very flexible.
Finally, I was looking at activity based authorization, the pros and cons of which were well described in this article: http://ryankirkman.com/2013/01/31/activity-based-authorization.html.
So how would i implement that in my ASP.NET web forms site?
In conclusion there is three things i am after:
Dynamically Control Visibility of HTML elements in my site master page based on user authorization.
Dynamically control user authorization to my aspx pages
Dynamically control user activity based authorization
Any input on this would be highly appreciated. Thank you
You should switch from role based authentication to claims based authentication. Here's an article describing the basics of claims based authentication:
http://dotnetcodr.com/2013/02/11/introduction-to-claims-based-security-in-net4-5-with-c-part-1/
Claims will give you fine grained control over the rights for each individual user. ClaimsPrincipal can also be used in webforms:
https://visualstudiomagazine.com/articles/2013/09/01/going-beyond-usernames-and-roles.aspx
An attribute can be applied to pages and methods in an ASP.NET Web Forms application (described in the article above):
[ClaimsPrincipalPermission(SecurityAction.Demand,
Operation="Update", Resource="Customer")]
public partial class CustomerUpdate : System.Web.UI.Page
{
Check this link Authorization Based on User
Or Another thing you can do is, separation of Concern according to Roles
Keep the Views According to the Access Level and Roles, so that you can easily manage the access.
Another thing that I've Seen people doing is Having a DB table with all Roles/Users and Access Links
I am working on asp.net for my website. Actually my site have two types of roles admin and user. I saw in asp.net development site at create new wizard user have a selection for roles like admin and user but if a crazy user may select admin role though he is a normal user so how could i control the user role selection.
For my optionion you should not rely on the wizard which ships with asp.net.
You should have your own control over creating users.
I would start to look at the Membership api to see how to access it from source code, how to add roles and how to authenticate... this is basically how the wizard magic works...
http://www.asp.net/web-forms/videos/authentication
http://www.4guysfromrolla.com/articles/120705-1.aspx
http://msdn.microsoft.com/en-us/library/ff648345.aspx
HTH
In my ASP.NET 3.5 application, on the ASPX pages I have to implement role based data update policy.
If a user have lest privilege, he can still update some filed but not all. Where user with maximum privilege can update all filed on page.
I was trying to implement this using a generic approach, but not sure if .NET have some thing inbuilt to implement this.
What is the right approach here?
Yes, you will want to utilize ASP.NET Membership. Once you have that in place, you can check roles on a user, like so:
if (Roles.IsUserInRole("User1", "Role1"))
// allow whatever you need to
If you are using the asp.net membership provider, you can limit the content on the page based on the roles the user is in
In asp.net mvc default application you get he account controller which enable user registration, log in, log out and changing password.
I was wondering is it possible to implement litle more like enabling administrator to delete some user or give some user different roles like in asp.net configuration where you create user, roles and asign roles to users?
I already figured out and extend profile for users, so now they have much more infos and profile picture.
If you have any experience or examples of user management in asp.net mvc.
Although a bit outdated, this project maybe can give you a few hints on how to implement membership administration in ASP.NET MVC:
Asp.Net MVC Membership Starter Kit
Quote
What is the Asp.Net MVC Membership
Starter Kit?
The starter kit currently consists of
two things:
A sample website containing the controllers, models, and views needed
to administer users & roles.
A library that provides testable interfaces for administering users &
roles and concrete implementations of
those interfaces that wrap the
built-in Asp.Net Membership & Roles
providers.
Out of the box, the starter kit gives
you the following features:
List of Users
List of Roles
User Account Info
Change Email Address
Change a User's Roles
Update
For restricting certain operations to specific user roles, you can create these roles using the project I mentioned earlier, and then decorate your own application's controllers and/or actions with an Authorize attribute, referencing the desired roles:
[Authorize(Roles = "Administrator, HR")]
public ActionResult DeleteUser(int UserId)
{
// do something
}
This would prevent users that are not Administrator or HR to delete users.
Here is my try for a reusable user & role management:
https://github.com/Epstone/Simple-MVC-User-Management
If I were you I'd create a Admin "module" which handles all of these things. I don't know of any asp.net documentation on this, but if you look around on PHP documentation (Zend Framework, CakePHP or other) you get the basic ideas of the structures you should use to achieve this. Just remember to keep things seperated, admin stuff goes into a admin module not a user module (but maybe a user controller inside a admin module).
I answered a similar question here:
User Management in ASP.Net MVC 3
This provides you with an MVC 3 Razor based User Management Tool. This does not include Roles, but if you get this far, it should not be real difficult to add them.
In asp.net Webforms apps, is there not any kind of maintenance UI page to edit and maintain the Profile properties of a User (I'm using VS2008 and the Web Application template), like in the WSAT Web Site Administratration Tool where you already can edit the basic Membership and Role properties for a User? I'm using the basic SQL Express data tables and the basic Membership and Role providers, and now I want to begin using the Profile provider to store and access additional properties for each User I create an account for. For instance, when I create a new User and assign them to a Role(s) on my web app, I use the WSAT tool, and now I also need to set certain Profile properties for them too. Is the only way to set these properties is programmatically? Surely there is an Admininstrative type of UI page for this so you can quickly view and edit Profile properties for a User.
Roles and Membership conform to a standard schema that you can easily create a static form for editing. Profile details are dynamic based on your configuration settings - and building dynamic forms can be a bit tricky.
On top of that, the default Profile provider stores all the profile information in one concatenated field, so you'd end up with a list of comma-separated values if they went for a really basic form.