I want know if this can be done and if there is somewhere that you can point me in the right direction.
Basically, at the moment, i am using the built in Role Provider for asp.net, on my controller actions, i use a custom attribute filter as described here.
But what i would like to do is extend it even further to do something like this:
Admin - View, Edit, Delete
Manager - View, Edit
So basically, granular permissions. I have searched around on the net, but can't seem to find any way of doing this without writing my own authentication/authorisation providers :(
Any help would be greatly appreciated!!
Cheers,
Nick
There are several ways to tackle this. The easiest (but not necessarily best) way is to have partial views with the navigation elements, view/edit/delete and if statements surrounding each link checking the currebt User's role.
Alternatively, at the other end of the spectrum is something called AzMan (Microsoft's Authorisation Manager) which allows you to create very granular role and task-based authorizations.
AzMan been around for ages but as far as I know it is now incorporated into MS's enterprise library.
Related
I am working on dictionary-like web page and I want to implement adding/changing phrases only by few people (my client - which is some small organisation wants to be able to do this by himself). The page does not have any login/registration mechanism etc. (for regular users at least) so I do not want It to have any login button. I wondered if making admin model ( few admins made in seeds for example) and adding login button that is invisible - I thought of using CSS opacity for this one. Is this a good solution ? Is there any other good practice in these sitations? Please dont be afraid to post suggestions. Additionally this is a serious page (my first job as freelancer), so I wonder if my solution is... acceptable? Thanks in advance for any answers!
This quite a standard thing in the web. Most of the websites consists of two parts, customer facing part (sometimes called frontend) and admin panel (called backend). In your case you don't need any login to access frontend part, but you need one for backend part.
Creating hidden button is not needed at all. There simply should be no button at all. If you want to log in as an admin, you simply navigate to http://my-website-url.com/admin.
I wouldn't bother with roles et unless your client specified clearly that he needs them.
Even though this is simple I would still suggest adding a role to a user model. After all he may want to have some user functionality later on. The simplest way to do this would be to use devise and add a role enum column.
Check out the article below and look under the "Enum" section.
http://railsapps.github.io/rails-authorization.html
Im looking for something similar to rails admin for asp.net.
Essentially I need to write an admin layer that allows most table data to be changed / searched etc.
I could generate basic scaffolding however I'm wondering if there is a free or commercial admin package that would give a nice UI admin interface to the data.
Ideally I need to be able to control and add logic to it also.
I create Ilaro.Admin and it is exactly what you looking for, but please keep in mind there are a lot of stuff to do.
I have created a site which has some roles. and each user can have some roles. every role has permission to some pages.
I want to build menus dynamically depending on user roles so every user can see his available pages in his menu.
I want to know that what is the best way to do this? using an XML to describe this menus hierarchy and specify each role available menus or there is better way to do this?
Rather than reinventing the wheel, I'd strongly suggest using Telerik's Extensions for ASP.NET MVC.
It includes a powerful Menu extension and has good programmability. I've used the .Visible() method along with IPrincipal.IsInRole() to determine which menus are available and when.
What's better is that it's free and open source! There's a paid-for version with support, but community and forum support seems to be quite good enough.
we have a mysql database that has the roles and objects and a decision is made at run time based on the logon user as to who gets to see what. There is also a decision made on individual pieces or controls on the page. There can also be tests on the pages themselves to make sure it's not just a menu that's hiding a page.
I used the MVC sitemap project in combination with a "Security Trimming" link helper ( "Security aware" action link? ) for this sort of thing before. Pretty easy.
I have an application which uses the built in ASP.NET membership provider. There are two roles (admin and staff). I want admins to be able to see a list of current staff, add or delete staff and reset passwords. So far I've found very little information, but Membership.Provider.GetAllUsers looks promising. Is there any way I could show the list in a GridView?
At minimum, I need to be able to add and delete users through the site.
For an extensive guide on using the Membership and Roleprovider in ASP.NET, see this tutorial: https://web.archive.org/web/20210513220018/http://aspnet.4guysfromrolla.com/articles/120705-1.aspx
Creating users programmatically is explained here: http://msdn.microsoft.com/en-us/library/d8t4h2es.aspx.
But really, MSDN is very complete on this subject. Just read the Introduction into Membership and follow the links. Everything you want is perfectly possible.
I found an excellent tutorial at https://web.archive.org/web/20211020111539/https://aspnet.4guysfromrolla.com/articles/052307-1.aspx which made the whole thing slightly less murky. A nightmare to implement but it's almost working. Thanks for the replies.
If you're using SQL Server, you can use the default SqlMembershipProvider class in System.Web.Security to perform the user management tasks you require. GetAllUsers() returns a string array, so you can databind your GridView to the result from this method to display a list of user names in your grid.
In ASP.NET what's the best way to do the following:
Show certain controls based on your rights?
For a gridview control, how do you show certain columns based on your role?
I'm thinking for number 2, have the data come from a role specific view on the database.
Instead of actually using roles to hide/show certain controls, I would suggest having another layer of permissions for each role and show/hide based on those instead.
That way you can redefine what permissions a role has and won't have to change your code.
Also, this allows you to make new roles in the future and just assign a set of permissions to the role.
As for controls, yes... I would just set the Visible property on the control based on the user.IsInRole("permissionname") value.
For grids I would do the same... set the Visibility of the columns to the IsInRole boolean value.
//Delete Icon Column
gridViewContacts.Columns[0].Visible = user.IsInRole("DeleteAnyContact");
I would make create your permissions in a very granular nature.. such as
ViewAnyContact
ViewOwnContact
EditOwnContact
EditAnyContact
AddAnyContact
DeleteOwnContact
DeleteAnyContact
Etc...
If you're going the role-based route, ASP.NET (since version 2.0) has had a variety of membership controls available which might help in this scenario. Assuming (and this could well be a faulty assumption) that you're using the in-box membership provider, you can actually use the LoginView control to get #1 handled.
The way it works is that the LoginView can use RoleGroups and their associated ContentTemplates to customize the view for the user based on role. This works seamlessly with the in-box membership provider; I believe if you build your own membership provider based on Microsoft's technology it will also work. (I haven't done this latter step.)
Conceivably, you could use it for #2, but it'd wind up with duplicated code and effort, which isn't my personal preference. I think your choice of using role-specific SQL views to drive that table may be better than this option. (There are other options as well, of course, which may be better.)
I will second Elijah Manor's recommendation of using permissions instead of roles. Generally, that's my preference as well. (And I was surprised to discover that the membership provider technology didn't go to that level.) In any permission-centric scenario, though, you will essentially have to roll everything yourself. (I've done this, and while it's very flexible, the code to secure any given page can get hairy.)
EDIT: I apologize; I meant to include a link for the LoginView control. DotNetJunkies has a tutorial on it.