tags:

views:

68

answers:

3
+2  Q: 

How can I limit asp.net control actions based on user role?

I have several pages or views in my application which are essentially the same for both authenticated users and anonymous users. I'd like to limit the insert/update/delete actions in formviews and gridviews to authenticated users only, and allow read access for both authed and anon users.

I'm using the asp.net configuration system for handling authentication and roles. This system limits access based on path so I've been creating duplicate pages for authed and anon paths.

The solution that comes to mind immediately is to check roles in the appropriate event handlers, limiting what possible actions are displayed (insert/update/delete buttons) and also limiting what actions are performed (for users that may know how to perform an action in the absence of a button.) However, this solution doesn't eliminate duplication - I'd be duplicating security code on a series of pages rather than duplicating pages and limiting access based on path; the latter would be significantly less complicated.

I could always build some controls that offered role-based configuration, but I don't think I have time for that kind of commitment right now.

Is there a relatively easy way to do this (do such controls exist?) or should I just stick to path-based access and duplicate pages?

Does it even make sense to use two methods of authorization? There are still some pages which are strictly for either role so I'll be making use of path-based authorization anyway.

Finally, would using something other than path-based authorization be contrary to typical asp.net design practices, at least in the context of using the asp.net configuration system?

A: 

One solution would be to write a few custom stored procedures on the database side. If you passed in a boolean flag for auth'ed vs. unauth'ed then your SQL code could handle which results are returned and which actions are performed.

However, if you envision many of your users being unauthorized, maybe you should use the session state to check a user's role, before you make a thousand calls down into your database.

Basically, you need to "conditionally bind" your grid to its datasource, determining which stored procedure to call by checking the user's role.

I hope this helps a bit!

Buffalo  2010-03-12 16:16:46
+1  A: 

To display the controls, You could use asp:LoginView.

http://www.codedigest.com/Articles/ASPNET/78_LoginView_Controls_with_Roles_in_ASPNet_20.aspx

for "users that may know how to perform an action in the absence of a button",

you could use if User.IsInRole("Role_name") then ... before doing your update stuff. you could also add security to function by using :

<PrincipalPermission(SecurityAction.Demand, role:="Role_name")> _

http://www.4guysfromrolla.com/webtech/121901-1.2.shtml

DavRob60  2010-03-12 16:43:41
+2  A: 

The best approach will be to add a property on a custom control saying Roles or something that will allow the users of such roles to view the control. Since, you do not have time for that you can make a helper method which will deal with the visible property of the control. Something like this: 

<asp:Button id="UpdateButton" runat="server" Visible="<%# IsInRole("Admin") %>" />

You can also make your own helper method that checks for more criteria.

azamsharp  2010-03-12 19:31:38
The reason I say I don't have time is that I'd want to make a 'universal' custom control with things like a smart tag so I could specify different data sources when using the control on different pages. I'm relatively new to asp.net and at first glance that looked somewhat complicated. I like your solution for setting the control visibility though; seems pretty simple!
Duke  2010-03-15 13:54:17
I got to use Visible='<%# user.IsInRole("Admin") %>' in order to make it work...
DavRob60  2010-03-18 13:58:17
@DavRob60 Yup! that should do it!
azamsharp  2010-03-18 16:43:34

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps