Site Navigation and links hide/unhide based on permissions - asp.net

I am developing a application using asp.net (C#) and this time the design concept is two frame based master page like left side will have navigation and right side frame will have content pages.
The navigation will have menu like the following.
System Parameters
........ Customer Setup
........ Currency Setup
........ User Management Setup
........ Group Definition
Transactions
..... Transaction 1
..... Transaction 2
..... Transaction 3
In Group Management I want to assign access permissions on forms and place users into the groups. Now my question is how to hide/unhide navigation links based on the group permission of logged in user.
I want to come up with the application design like the following
http://weblogs.asp.net/scottgu/archive/2006/01/17/435765.aspx
Please guide how to handle dynamic menu and build this type of application and restrict users not access the page on which he/she has no permission...most of the solutions over internet is based on web.config where roles are defined but I want to keep my roles in database along with the group permissions. so need solution based on database.

first, once a user logs in, you can store his/her authorisation level in a session variable. E.g. Session("CurrentUserLevel")="admin"
then,
to hide navigation items, you can write code to do:
if session("CurrentUserLevel") <> "admin" then
customerSetup.visible = false ' where customerSetup is your asp.net element
end if
to prevent pages from being accessed, place a code on top of each page:
if Session("CurrentUserLevel") <> "admin" Then Response.Redirect("hope.aspx")
note: this is a very simple and static/hard coded solution. Usually, you should use more advanced techniques to accomplish such tasks.

you gonna refer to the control via master page then change its visibility to current user
like this
protected void Page_Load(object sender, EventArgs e)
{
if (Session["id"]!=null)
{
liberarianDrop.SelectedValue = (Session["id"].ToString());
((LinkButton)this.Master.FindControl("LoginBtn")).Visible = false;}
}

Related

gvNix: How to restrict access based on roles

I'm developing an application using gvNix. I used typicalsecurity addon to secure my application. What I need now is to allow the user to update only their profile. i.e. the user can see a profile tab on the nav bar menu, and when clicking on it, a form should be displayed containing only their data.
I tried adding the following to my code, but it restricts the access even to the admin.
#RooWebScaffold(path = "users", formBackingObject = User.class, delete=false, create=false);
The xml here removes the menu tab or part of its sub items, so it doesn't show an option to edit the profile
...
xmlns:sec="http://www.springframework.org/security/tags"
...
<sec:authorize ifAllGranted="ROLE_ADMIN">...</sec:authorize>
Usually all the users should update their profiles, so the link should be visible for all users.
Then modify the controller method that handles that request to get the user principal for the requester, this is the way to load the profile of the loged user.
To get the principal of the user read the Spring Security docs.

The best solution to customize page controls based on some roles and settings

I have several pages in asp.net each with lots of controls. I Also have some roles in my application that each has some setting options. Now I want to prepare my page based on these settings. Maybe it’s not too clear, so please take a look at my example.
Example: There are some buttons, some textboxes, some datetime picker, and a chart in a page, now what I want is when a user sees this page, the controls appear and disappear based on the users role. An important thing is that I don’t want to have only visible and invisible controls, in some scenarios I need to show controls with some customizations. For example change chart data source, limit selecting date time and so on.
The first solution that I can think of, is saving the settings in database and after visiting the page by user, the settings fetch from database and based on those, I can customize the controls with conditional phrases (if and else). But I suppose it is not a good approach and my page will get very messy.
Please help me with any better solutions and if you know good references about it, please let me know.
Please see this link...use of ControlAdapters may help you...
Role-based enabling/disabling of controls in asp.net
You must use Thread.CurrentPrincipal.
A. When user login to your application, you attach his identity to thread, for example
string[] rolesArray = .....; //Get roles from dataBase by identity.
Thread.CurrentPrincipal = new YourCustomPrincipal(new YourCustomIdentity("YouName", "..."), rolesArray);
B. And when you navige about your application you test Thread.CurrentPrincipal
IPrincipal threadPrincipal = Thread.CurrentPrincipal;
if(threadPrincipal.Roles.Contains("roleTest"))
{
//Adjust your control
}

How to restrict the user that is already connected

I am working in Asp.net and I want to restrict the user while login, if the same user is already logged in or already connected.. I am creating a table in sql server USERS_CONNECTED and placed a single field USER_ID in it. When ever a user is logged in it's id is searched in USERS_CONNECTED table. If id is not found then the user is allowed to connect and the user id is added in the said table. But the problem is when the X button(present on right top corner of the browser) is clicked to exit then the user id should be deleted from the USERS_CONNECTED table. WHERE SHOULD I WRITE THIS CODE ?? I MEAN ON WHAT EVENT ..
can anyone help...
Dev..
You can handle end of a session. Add something like this to global.asax.cs file:
protected void Session_End(object sender, EventArgs e)
{
// Remove user from the USERS_CONNECTED table
}
Just one thing to remember: it will not be fired immediately when the user closed his browser. This event will be fired when the session expires.
To me it sounds like you are trying to implement a form of authentication. What you can do is use Forms authentication that uses a cookie that will keep track of the user's activity. Have a look at this tutorial to see how it is implemented: Forms Auth Tutorial

Displaying same content to different users who may be seeing different master pages (ASP.net)

I have some pages that have content that is relevant to both logged in users and non logged in users. For example, pages with contact information, privacy policies, etc. All the pages have your typical navigation menu but the thing is logged in users normally see a different navigation menu bar than non logged in users.
What is the best way to do this in ASP.net?
So far, possible solutions include the following:
Displaying the content using a pop up window. The page will contain no menu and is just some basic page doesn't need to check what type of user is seeing it.
Programmatically changing the master page depending on whether the user is authenticated or not. However, there are some variables on one of the master pages that need to be accessed but isn't touched at all by non logged in users.
Putting the content in a user control and sticking this user control on two separate pages to be displayed to the appropriate user.
I'm not really a fan of #1 because users visiting the site for the first time may have some type of popup blocker or have javascript disabled.
I know #2 is possible by having the page use some type of base class that has inherited from MasterPage. However, I've read that this might not be the best design since now one of the pages has access to variables that isn't really necessary.
The third method sounds reasonable but then there'd be two separate ASPX files.
Is there a proper way of doing this? Or another method I haven't thought of yet?
edit
To clarify, logged in users need to set certain variables in their master pages where non logged in users do not. The reason for this is that there is a user control that displays a special navigation menu that will highlight certain items depending on these variables.
For example, the user control requires a string to determine which item to highlight. A page with profile information will provide "profile" as a parameter that will highlight the "Profile" item on the menu.
The menu in the user control is generated dynamically based on data from the database. The menu items are grouped by category and are displayed with an appropriate heading that is also pulled from the DB.
Programmably changing the master page is easy; just supply the correct URL on pre init, set
protected override void OnPreInit(..)
{
if (this.User != null) {
if (this.User.Identity.IsAuthenticated)
this.MasterPageFile = "~/loggedin.master";
else
this.MasterPageFile = "~/notloggedin.master";
}
}
No base class needed for this.
User control approach would work too, but changing master page file is really easy to do.
EDIT: If you have properties to set or get from the master, you could have the code-behind file implement the interface, and check if the this.Master reference is of that interface type.
HTH.

How do I best handle role based permissions using Forms Authentication on my ASP.NET web application?

I'm using the ASP.NET Login Controls and Forms Authentication for membership/credentials for an ASP.NET web application.
I've got two roles:
Users
Administrators
I want pages to be viewable by four different groups:
Everyone (Default, Help)
Anonymous (CreateUser, Login, PasswordRecovery)
Users (ChangePassword, DataEntry)
Administrators (Report)
Expanding on the example in the ASP.NET HOW DO I Video Series: Membership and Roles, I've put those page files into such folders:
And I used the ASP.NET Web Site Administration Tool to set up access rules for each folder.
It works but seems kludgy to me and it creates issues when Login.aspx is not at the root and with the ReturnUrl parameter of Login.aspx.
Is there a better way to do this? Is there perhaps a simple way I can set permissions at the page level rather than at the folder level?
A couple solutions off the top of my head.
You could set up restrictions for each page in your web.config file. This would allow you to have whatever folder hierarchy you wish to use. However, it will require that you keep the web.config file up to date whenever you add additional pages. The nice part of having the folder structure determine accessibility is that you don't have to think about it when you add in new pages.
Have your pages inherit from custom classes (i.e. EveryonePage, UserPage, AdminPage, etc.) and put a role check in the Page_Load routine.
One solution I've used in the past is this:
Create a base page called 'SecurePage' or something to that effect.
Add a property 'AllowedUserRoles' to the base page that is a generic list of user roles List or List where int is the role id.
In the Page_Load event of any page extending SecurePage you add each allowed user role to the AllowedUserroles property.
In the base page override OnLoad() and check if the current user has one of the roles listed in AllowedUserRoles.
This allows each page to be customized without you having to put tons of stuff in your web.config to control each page.
In the master page I define a public property that toggles security checking, defaulted to true. I also declare a string that is a ; delimited list of roles needed for that page.
in the page load of my master page I do the following
if (_secure)
{
if (Request.IsAuthenticated)
{
if (_role.Length > 0)
{
if (PortalSecurity.IsInRoles(_role))
{
return;
}
else
{
accessDenied = true;
}
}
else
{
return;
}
}
}
//do whatever you wanna do to people who dont have access.. bump to a login page or whatever
also you'll have to put
at the top of your pages so you can access the extended properties of your master page

Resources