views:

684

answers:

2

I have a site with 2 sections - one for customers and one for admins, in essence. Each section is in its own directory with its own web.config and sitemap. Security and access works fine.

When I am logged in as admin, I want to see menu items that link to the other section, however. I added links to the sitemap, e.g.:

<siteMapNode url="~/Customer/Default.aspx?3" title="Customer Site"
description="Switch to customer site" roles="Administrator"/>

This seems to have no effect, since I still see the menu item when logged in as a customer. When I turn on security trimming, as in

<siteMap enabled="true">
  <providers>
    <add name="InternalSiteMap" type="System.Web.XmlSiteMapProvider" 
        siteMapFile="~/Internal/Internal.sitemap" />
    <add name="CustomerSiteMap" type="System.Web.XmlSiteMapProvider" 
     siteMapFile="~/Customer/Customer.sitemap" securityTrimmingEnabled="true" />
  </providers>
</siteMap>

all menu items are gone.

I actually have web.configs in both the Internal and the Customer folders, e.g. for the customer:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="Customer" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

and the administrator:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow roles="Administrator" />
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

Again, authorization works, and when I am logged in as a Customer and I click on the internal site link in the menu, I am being redirected to the login page. As an admin, I can click through to the admin site. As soon as I turn on security trimming for the sitemap provider, which is supposed to take the links that I am not authorized for off the menu, the entire menu disappears. What am I missing? Do I need to configure the asp.menu control to work together with this?

Update: I put a bounty on this question, because I still cannot get it to work. We are inclined to throwing out the menu control and writing our own, but if someone can provide a hint, that would be preferred of course. Again - the problem is not with security - the roles and access rules work as expected. It is with the menu control and security trimming. The menu disappears alltogether when security trimming is turned on for a sitemap.

Update: Thanks for finding this blog post, Pavel. What I learned from this is that if there are sitemap entries that do not have a path and URL (which is also true for some of my submenues), the control cannot infer permissions from the settings in the web.config, and you have to specify the roles in the sitemap. Otherwise, they will be hidden by default.

A: 

http://www.vbforums.com/showthread.php?p=3625975

Check the logged in user has the Administrator role.

Edit:

I'm also pretty sure your not ment to specify the role in the siteMapNode. I belive role based site maps work off existing roles, eg if a user has access to the path that the site note specifys then it will display it.

Also specify the path in the webs.config.

<location path="admin/">
    <system.web>
        <authorization>
            <allow roles="Admin"  />
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

And finally remove the '~' from your site map so that the comparison will match.

Once this is all done and if this is still not working, merge the web.configs to make sure permisions are not being lost.

Pino
Yes, this is what I am trying to do and it is not working. The link was not helpful. The user does not have the Admin role.
cdonner
I've Edited the post
Pino
I did all this, but the problem remains. As soon as I enable security trimming in the sitemap, the menu disappears. With security trimming not enabled, security works as expected (i.e. redirect to login page when there is no access).
cdonner
+2  A: 

From Horizontal Menu Disappears with securityTrimmingEnabled="true":

Make sure that every role has access to the (unused) dummy siteMapNode at the root by including roles="*" in web.sitemap shown below:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap  enableLocalization="true"
     xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
    <siteMapNode url="" title="" roles="*"  description="">
      <siteMapNode url="~/default.aspx" resourceKey="siteMapHome" 
       title="Home" roles="admin,account" description="" />
<!-----More nodes-->
Pavel Chuchuva
Nice one, thanks!
cdonner