views:

38

answers:

2

I have a gridview with couple of columns,I want to achieve the following:
If user is NOT authorized display normal columns.
If user IS authorized: set mouseover event for first column text and display some buttons (that are not available for NOT authorized users) in a second column when user hover over(using javascript) the first column.

I am have 2 difficulties:

The first one where and when should I create the buttons?
I have 2 options,
I can create those button on design time, in gridviews template and just set Visible value to false and then in codebehind set it to true if user is authorized.
The second option would be creating this buttons dynamically in gridview_RowCreated event (or any other event) if user is authorized.

The Second difficulty is setting the javascript event to show the buttons, the event should be added only if user is authorized!
Note that event and buttons should have some kind of id match for Javascript function to know what should it hide/unhide when event is triggered.

What should I do, what is the best practice?
I know this is a long question, but please try to help :)

A: 

If the issue is conditional authorization of buttons then don't output them from the server-side if the user isn't authorized. That is, don't render the buttons and show/hide them with JavaScript because JavaScript can be manipulated on the client-side by malicious users to show hidden buttons from the browser DOM and it's beyond your control. This increases the chances of them gaining access if your server checks aren't in place too.

Use the code-behind like you mentioned, but conditionally send buttons to the client-side. If you send them they're visible and if you don't they're not because they're not there to show. Then you don't have to additionally play around with JavaScript for this endeavour.

This assumes you've used Webforms authentication or a similar mechanism so you know if the user is authorized or not from the server side, and you can check it there and make decisions accordingly in your code based on it.

Maybe I don't understand the full context of what you're trying to achieve but I'm trying to convey security issues and reasoning around that. There are plenty of places to use JavaScript in development but this time it might be the wrong choice.

However ... if the buttons aren't really a security issue and an invalid user gaining access to them won't cause harm in the grand scheme of things then forget all the above.

John K
If I set, on server side Visible=false, it can not be turned on by javascript, right?
mariki
You're right because it isn't rendered when set to False http://msdn.microsoft.com/en-us/library/system.web.ui.control.visible.aspx
John K
A: 

What you want to do is use the HoverMenu control from the ASP.Net Ajax Toolkit. This will handle all the javascript for you to display and hide the buttons on mouse over and mouse out. You would enable or disable the HoverMenu in your code behind to handle your authorization.

Payton Byrd