I have Membership, Profile and Role providers setup for my .NET MVC website. I would like to say: this Role has access to that Page.
How do I 'inject' this code to the RoleProvider? Or do I have to override it somehow? Any leads?
(Roles are stored in the default ASP.NET SqlRoleProvider, Pages are stored in a seperate SQL database).
Why would you inject this into the role provider? Why not just decorate the ActionResult [Authorise(Roles="myrole")]?
I understand that your pages are in the database but the action result still needs to call the view right?
I guess you could write you're own custom attribute which can check and either grant access or deny it.
I don't think the role provider is the right place for determining whether a page can be displayed or not.
Take a look at using sitemaps under asp.net. It is VERY easy to manage and to extend.
I have even used them as the datasource for a menu system.
Once in your page, you can do something like:
User.IsInRole("RoleName")
Related
I am failing to find good examples of user and activity based authorization for my ASP.NET web forms site. Currently, i am using user roles in web config to allow/deny access to pages within folders. But this method is proving to be a nightmare to maintain, especially when users come up with special case scenarios, which completely deviate from existing role permissions.
So i am looking for a way to be able to store and retrieve user access rights, from the database and then enforce them on my web site dynamically.
My Second problem is how to show/hide certain site master html from certain users. I was also thinking to store this information in the database, so that these rights are dynamically allocated also.
Currently, i am hard coding in my site master code behind the hide/show permissions by saying:
If(isInRole("Admin"){
// Show Everything
}
else
{
// hide certain html
}
So this approach works currently, but is problematic to maintain and not very flexible.
Finally, I was looking at activity based authorization, the pros and cons of which were well described in this article: http://ryankirkman.com/2013/01/31/activity-based-authorization.html.
So how would i implement that in my ASP.NET web forms site?
In conclusion there is three things i am after:
Dynamically Control Visibility of HTML elements in my site master page based on user authorization.
Dynamically control user authorization to my aspx pages
Dynamically control user activity based authorization
Any input on this would be highly appreciated. Thank you
You should switch from role based authentication to claims based authentication. Here's an article describing the basics of claims based authentication:
http://dotnetcodr.com/2013/02/11/introduction-to-claims-based-security-in-net4-5-with-c-part-1/
Claims will give you fine grained control over the rights for each individual user. ClaimsPrincipal can also be used in webforms:
https://visualstudiomagazine.com/articles/2013/09/01/going-beyond-usernames-and-roles.aspx
An attribute can be applied to pages and methods in an ASP.NET Web Forms application (described in the article above):
[ClaimsPrincipalPermission(SecurityAction.Demand,
Operation="Update", Resource="Customer")]
public partial class CustomerUpdate : System.Web.UI.Page
{
Check this link Authorization Based on User
Or Another thing you can do is, separation of Concern according to Roles
Keep the Views According to the Access Level and Roles, so that you can easily manage the access.
Another thing that I've Seen people doing is Having a DB table with all Roles/Users and Access Links
In my ASP.NET 3.5 application, on the ASPX pages I have to implement role based data update policy.
If a user have lest privilege, he can still update some filed but not all. Where user with maximum privilege can update all filed on page.
I was trying to implement this using a generic approach, but not sure if .NET have some thing inbuilt to implement this.
What is the right approach here?
Yes, you will want to utilize ASP.NET Membership. Once you have that in place, you can check roles on a user, like so:
if (Roles.IsUserInRole("User1", "Role1"))
// allow whatever you need to
If you are using the asp.net membership provider, you can limit the content on the page based on the roles the user is in
If I have two tables in my project to have access to such a blog (blog writers access) and one for friends access.
I use if I want the RoleProvider What is the form?
This question is very ambiguous and suggestions you need to do some reading on ASP.NET membership/roles... but to check if the user is in a role, you just do this:
User.IsInRole("role name")
Roles.Provider gets the default Role Provider.
Roles.Providers gets the collection of Role Providers for the ASP.NET application.
Look into the System.Web.Security namespace
I'm using forms authentication in my C# based web site, with the authentication defined in web.config files in the various folders/sub-folders. I want to write a generic administration menu system, that lists all of the admin pages that the use is authorized to open. As I add pages, I want them to automatically show up in the menu. So...
I need to obtain a list/collection of all pages that the active user is authorized to open. Is this possible in ASP.Net 3.5?
I assume that ASP.Net has an internal collection of pages somewhere, together with their required roles (as it must check somewhere when you attempt to open a page)?
I would suggest looking into using a sitemap (in ASP.Net, web.SiteMap). Then you can use the SiteMap as a datasource (as well as define roles, etc for each page).
You assume incorrectly... There is no internal listing of these pages, only the file system. Access is checked on a file-by-file basis when ASP.NET attempts to open the page.
To do what you're looking for, you'll have to code it up yourself using System.IO and getting the authorization settings from web.config.
Suppose I have 3 kinds of users and their accessible pages in my ASP.net application are as follows:
(1) User Type-A {Default.aspx, a.aspx, b.aspx and c.aspx},
(2) User Type-B {Default.aspx, d.aspx, e.aspx and f.aspx},
(4) Admin {Default.aspx and g.aspx}.
Here Default.aspx is my Login-page.
I am using Membership Provider and Forms authentication technique.
Now I need to block access of one type of user to the pages assigned for other type users.
How should I configure my Web.config file?
and What kind of c# code should be used?
Role management in asp.net may help you in this case. Please check this article.
You may have to customize this as per your specific requirement. Hope this helps.
Role Manager in ASP.NET
Each of User-Type will be associated with Roles.
We have a similar requirement, and make use of the Patterns and Practices Web Client Software Factory. Basically it assists you in creating modules, and allowing you to specify per-page access levels in config based on Role / User details.
You might have a try to use roleship provider and web.sitemap.