|
|
|
start date: Sat, 4 Aug 2007 01:46:12 -0400,
posted on: microsoft.public.dotnet.framework.aspnet
back
| Thread Index |
|
1
Bill Gower
|
|
2
Alexey Smirnov
|
|
3
Alexey Smirnov
|
Need advice on handling security
I am validating the users of my web app against a user database in SQL
Server. I then store the user object in a session variable and pass it
around to the various forms. I have a field in the user object called Role
that either holds the value "BusinessAgent" or "Administrator". The role
type determines what forms the user can access and certain privileges in
forms. I have menus on a master page but I don't want to hide menu items
depending on the role type. I would like to in the page load of each form,
look at the role type and determine whether they have permission to the form
otherwise alert them to the fact that the form is for administrators only.
What is the best way to do this?
Bill
Date:Sat, 4 Aug 2007 01:46:12 -0400
Author:
|
Re: Need advice on handling security
On Aug 4, 7:46 am, "Bill Gower" wrote:
> I am validating the users of my web app against a user database in SQL
> Server. I then store the user object in a session variable and pass it
> around to the various forms. I have a field in the user object called Role
> that either holds the value "BusinessAgent" or "Administrator". The role
> type determines what forms the user can access and certain privileges in
> forms. I have menus on a master page but I don't want to hide menu items
> depending on the role type. I would like to in the page load of each form,
> look at the role type and determine whether they have permission to the form
> otherwise alert them to the fact that the form is for administrators only.
> What is the best way to do this?
>
Hi Bill
you can check it in the code-behind
If Not User.IsInRole("Administrator") Then
Response.Write("Only administrators can see this form")
End If
you can set permissions in web.config
<location path="admin.aspx">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>
Hope this helps
Date:Sat, 04 Aug 2007 01:14:14 -0700
Author:
|
Re: Need advice on handling security
On Aug 4, 10:14 am, Alexey Smirnov wrote:
> On Aug 4, 7:46 am, "Bill Gower" wrote:
>
> > I am validating the users of my web app against a user database in SQL
> > Server. I then store the user object in a session variable and pass it
> > around to the various forms. I have a field in the user object called Role
> > that either holds the value "BusinessAgent" or "Administrator". The role
> > type determines what forms the user can access and certain privileges in
> > forms. I have menus on a master page but I don't want to hide menu items
> > depending on the role type. I would like to in the page load of each form,
> > look at the role type and determine whether they have permission to the form
> > otherwise alert them to the fact that the form is for administrators only.
> > What is the best way to do this?
>
> Hi Bill
>
> you can check it in the code-behind
>
> If Not User.IsInRole("Administrator") Then
> Response.Write("Only administrators can see this form")
> End If
>
> you can set permissions in web.config
>
> <location path="admin.aspx">
> <system.web>
> <authorization>
> <allow roles="Administrator" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
>
> Hope this helps
P.S. I assume that you created a FormsAuthenticationTicket with roles
and assigned it the user
Date:Sat, 04 Aug 2007 01:22:48 -0700
Author:
|
|
|
