views:

208

answers:

3

I am using the following in my webconfig, so that only admin an access the admin folder.

<location path="Admin" allowOverride="true">
<system.web>
  <authorization>
    <allow roles="Administrators" />
    <deny users="*" />
  </authorization>
</system.web>

Now when the guest user tries to access this he is redirected to the Login page.

I want the user to either sho a popup that user cannot access it or just stay on the same page with some error message in a label on that page...

Any suggestions??

thanks

Here is more code in webconfig

<authentication mode="Forms">
    <forms loginUrl="Login.aspx" protection="All" name="Cookie" timeout="120" path="/" slidingExpiration="true"
       defaultUrl="Default.aspx">
    </forms>
+1  A: 

Instead of denying access in the web.config you can deny access programmatically in the code behind.

        if (User.IsInRole("Administrators"))
        {
            accessDeniedMessage.Visible = true;
            adminPage.Visible = false;
        }
        else
        {
            adminPage.Visible = true;
            // show admin page
        }
mark123
is there a way to do that..i as not aware... or before entering every page i check if the user is in the role of the administrator...??
I added a code snippet. Hope that helps.
mark123
but i have many pages in my admin folder.. so ill have to check for this code everytime.. which will be time consuming.. hence in webconfig.. i am sure there must be a way to stay on the same page if access is denied.. thanks though
... and yes, this would work on the pages in the admin folder and not on the folder itself.
mark123
You could also do it on an admin version of a MasterPage so that it is automatically used on every admin page. Then it's only written and maintained in one place.
mark123
hey thanks but then what if there are files in the admin folder...
If you are using an admin MasterPage then it doesn't matter where the Web Content Forms are.
mark123
I may have misunderstood your question from the start. Are you trying to avoid the redirect and show an "access denied" message on the denied page?
mark123
+1  A: 

this is what i did in my login page..

if (!IsPostBack)
        {

            if (User.Identity.IsAuthenticated)
            {
                if (!string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
                {
                    Response.Redirect("~/Guest/Pagedenied.aspx");
                }
            }

        }

this way the admin folder is denied weather it is aspx pages or any other file in it... and the login screen is also avoided...

If any one has anything better please suggest..

Thanks

+1  A: 

You can use custom errors. Look here, and note that the error to be redirected is 401 and not 404.

Asaf R
yes i checked this out but could not understand some parts...
Well, I wrote this reply in a haste, but I'll be happy to extend it - can you explain what you found difficult there?
Asaf R