views:

68

answers:

3

I have several pages or views in my application which are essentially the same for both authenticated users and anonymous users. I'd like to limit the insert/update/delete actions in formviews and gridviews to authenticated users only, and allow read access for both authed and anon users.

I'm using the asp.net configuration system for handling authentication and roles. This system limits access based on path so I've been creating duplicate pages for authed and anon paths.

The solution that comes to mind immediately is to check roles in the appropriate event handlers, limiting what possible actions are displayed (insert/update/delete buttons) and also limiting what actions are performed (for users that may know how to perform an action in the absence of a button.) However, this solution doesn't eliminate duplication - I'd be duplicating security code on a series of pages rather than duplicating pages and limiting access based on path; the latter would be significantly less complicated.

I could always build some controls that offered role-based configuration, but I don't think I have time for that kind of commitment right now.

Is there a relatively easy way to do this (do such controls exist?) or should I just stick to path-based access and duplicate pages?

Does it even make sense to use two methods of authorization? There are still some pages which are strictly for either role so I'll be making use of path-based authorization anyway.

Finally, would using something other than path-based authorization be contrary to typical asp.net design practices, at least in the context of using the asp.net configuration system?

A: 

One solution would be to write a few custom stored procedures on the database side. If you passed in a boolean flag for auth'ed vs. unauth'ed then your SQL code could handle which results are returned and which actions are performed.

However, if you envision many of your users being unauthorized, maybe you should use the session state to check a user's role, before you make a thousand calls down into your database.

Basically, you need to "conditionally bind" your grid to its datasource, determining which stored procedure to call by checking the user's role.

I hope this helps a bit!

Buffalo
+1  A: 

To display the controls, You could use asp:LoginView.

http://www.codedigest.com/Articles/ASPNET/78_LoginView_Controls_with_Roles_in_ASPNet_20.aspx

for "users that may know how to perform an action in the absence of a button",

you could use if User.IsInRole("Role_name") then ... before doing your update stuff. you could also add security to function by using :

<PrincipalPermission(SecurityAction.Demand, role:="Role_name")> _

http://www.4guysfromrolla.com/webtech/121901-1.2.shtml

DavRob60
+2  A: 

The best approach will be to add a property on a custom control saying Roles or something that will allow the users of such roles to view the control. Since, you do not have time for that you can make a helper method which will deal with the visible property of the control. Something like this:

<asp:Button id="UpdateButton" runat="server" Visible="<%# IsInRole("Admin") %>" /> 

You can also make your own helper method that checks for more criteria.

azamsharp
The reason I say I don't have time is that I'd want to make a 'universal' custom control with things like a smart tag so I could specify different data sources when using the control on different pages. I'm relatively new to asp.net and at first glance that looked somewhat complicated. I like your solution for setting the control visibility though; seems pretty simple!
Duke
I got to use Visible='<%# user.IsInRole("Admin") %>' in order to make it work...
DavRob60
@DavRob60 Yup! that should do it!
azamsharp