Thanks for any thoughts. This question refers to an ASP.NET 4.0 web application.
A DetailsView then uses an ObjectDataSource (although any solution should apply to any of the ASP.NET DataSource controls) for CRUD operations.
A user has permission to view details for all records, but can only create or modify a single record related to their own department.
obviously I can easily modify the listview to show/remove the appropriate buttons
if (!_canModifySelectedWard)
{
dptDetailView.AutoGenerateEditButton = false;
dptDetailView.AutoGenerateInsertButton = false;
dptDetailView.AutoGenerateDeleteButton = false;
}
but this is only removing the buttons. Is there a neat way to disable the ability to edit/insert/delete functionality? I think a malicious request is highly unlikely once the user has access to this page, but it seems better practice to remove functionality, not just UI elements.
I can set the associated objectdatasource's InsertMethod etc. to null, but this almost seems like a hack.
Your object data source is tied to an class which is responsible for providing the data requested by the object data source. This is where additional checks should be performed to ensure unauthorized access to data doesn't happen.
Hiding the buttons is a good idea from a user experience perspective, but you should always make sure your business rules are being enforced.
Sorry I cannot provide any more detailed help. Perhaps if you could describe what you have going on in more detail, or post some code that would help.
Cheers.
Related
I have several pages in asp.net each with lots of controls. I Also have some roles in my application that each has some setting options. Now I want to prepare my page based on these settings. Maybe it’s not too clear, so please take a look at my example.
Example: There are some buttons, some textboxes, some datetime picker, and a chart in a page, now what I want is when a user sees this page, the controls appear and disappear based on the users role. An important thing is that I don’t want to have only visible and invisible controls, in some scenarios I need to show controls with some customizations. For example change chart data source, limit selecting date time and so on.
The first solution that I can think of, is saving the settings in database and after visiting the page by user, the settings fetch from database and based on those, I can customize the controls with conditional phrases (if and else). But I suppose it is not a good approach and my page will get very messy.
Please help me with any better solutions and if you know good references about it, please let me know.
Please see this link...use of ControlAdapters may help you...
Role-based enabling/disabling of controls in asp.net
You must use Thread.CurrentPrincipal.
A. When user login to your application, you attach his identity to thread, for example
string[] rolesArray = .....; //Get roles from dataBase by identity.
Thread.CurrentPrincipal = new YourCustomPrincipal(new YourCustomIdentity("YouName", "..."), rolesArray);
B. And when you navige about your application you test Thread.CurrentPrincipal
IPrincipal threadPrincipal = Thread.CurrentPrincipal;
if(threadPrincipal.Roles.Contains("roleTest"))
{
//Adjust your control
}
I'm trying to get some User Controls I'm writing to perform their own server-side validation, checking the database to ensure that certain criteria are valid. In one case the control doesn't even accept any input, it just displayed some information based on database state.
I know the ASP.Net has its own validation framework, and I'm keen not to re-invent the wheel. However, I'd like the controls to check whether they're valid themselves (that seems more object oriented to me), rather than having to create custom validators on every page on which I place the controls. I've had a quick look at the IValidator interface, but this seems to be targeted at Validators, rather than the controls themselves. It seems cleaner to me to have the control itself check the entered data (where appropriate) and database state and report whether or not it is valid.
Is this possible in ASP.Net without re-writing the whole of the ASP.Net validation framework, or am I just trying to go about this in completely the wrong way?
It turns out I was close with the IValidator stuff, just missing the link to the Page.Validators collection. Here's a fully worked example:
http://www.codeproject.com/KB/custom-controls/selfvalidatingtextbox.aspx
Hard to believe how much time I spent looking for this yesterday!
I have the need to populate a combobox in InfoPath with all the users from our Active Directory system. I'd also like this combo box to have auto-complete Can someone please point me in the right direction to accomplish this? Everything I find on the web seems to only load the currently logged-in user.
Thanks in advance!
If you have sharepoint server on your domain you can take advantage of contact selector control described here.
Otherwise you will be to forced to create some code in C#. Basiclly you have two options
Create custom control in C# and use it in infopath. Tutorial
Create standard infopath combobox and bind it to dynamically created collection in custom C# code.
This will be needed for both options: Extensive tutroial how to use class from DirectoryServices namespace.
Based on the comment I think you should take a look at this post about adding multiple contact selector controls into one infopath form and also this thread.
You'll have a bit of learning to do here I am afraid. You'll need to write an LDAP query to get this information. LDAP is a bit of a chore to learn. Using .NET, you can get some help from System.DirectoryServices namespace for help. e.g.:
var searcher = new DirectorySearcher("(objectCategory=user)");
var results = searcher.FindAll();
for (int i=0; i<results.Count; i++)
{
Console.WriteLine(results[i].GetDirectoryEntry().Name);
}
You'll probably need to refine the filter to limit searches to a particular OU to avoid returning service accounts and the like. You'll also want to look at pulling back properties for the user's Fullname etc.
Another route that might be MUCH easier is if your domain has Exchange, you could use the Exchange web service to query the global address list?
I'm auto-generating a form in my ASP.NET page. This is already tested and working. I want to know if:
If there are any security problems with storing the database ID as part of my controls ID? I can see think of 2 issues: the id will be visible in page source (not really important in this case), and the possibility someone could change the name of the control somehow? This second possibility is more serious. Is this a potential problem and how to void it?
If there would be a better preferred way to associate a unique data with any type of control? Is it possible to store a custom item in the viewstate for the control?
You can create your own custom controls, inheriting from TextBox, for example. Create properties that store data in the ViewState. That is the fastest and simplest way for me to achieve the result you're needing.
just save them in the viewstate
viewstate["DB_ID"] = datarow("ID")
You can use hiddenfield. Or best way is store your ID in Session. Sessions are really secure.
don't store anything database related in your page. you are giving people knowledge of your system that should be hidden from view.
if you must store a database id, store it in the session or put it into your web.config file.
There's nothing wrong with using a database ID in a page. Just look at the URL of this page or nearly any other MVC-style site. It is not a security risk in itself unless your system is vulnerable to SQL injection attacks - and if it is, then you have bigger problems to worry about.
I am creating a completely custom (only inherits from WebControl) combobox/dropdownlist search control with autoComplete capabilities.
JQuery handles assigning the onhover and onclick events for list items (divs with strings in them) and handles the web service call for getting the list of items for the matching text.
The server handles the custom attributes and control rendering.
The issue is that I need to implement a property that is similar to SelectedValue so that when a user selects an item from the search results, the value can be used on the server for other processing. I have done days of research but have not found a clear, concise way of handling the post back data.
I did read a blog that mentioned implementing the IPostBackDataHandler interface, but the implementation of RaisePostDataChangeEvent() calls for calling a server method (like SelectedIndexChange) that I am not implementing at the moment.
public void RaisePostDataChangedEvent()
{
this.SelectedIndexChanged(EventArgs.Empty);
}
Now for the question: Does anyone have advice for handling this? Or am I better off simply inheriting from the dropdownlist control and overriding the existing functionality?
I feel like I'm missing a very small piece that will fit this all together.
Have you considered pulling down the source code from Microsoft's source server and taking a look at how they implemented DropDownList? This would allow you so see how they solved the binding and events part of the problem and give you a good idea what it does otherwise. This way you can decide if you want to inherit from it, or if you can just borrow some ideas for how they implemented IPostBackDataHandler.
Since I have no idea what specifically you are doing, I couldn't advise you if you should inherit from dropdown as it is, but based on my impressions of what you are doing I'd say you probably don't.
Also you might look at source from the AjaxControlToolkit as it has a similar component. Again, you can get ideas for how these specific things are handled and adapt them to your own needs.