Re: Authorization based on roles or directory access?
- From: rmgalante@xxxxxxxxxxxx
- Date: 11 Jan 2007 13:50:29 -0800
Jakob,
I have experienced the same problem as you, and I have come to the same
conclusions. I have to create a separate directory for each role and
duplicate my scripts in each directory. This seems like it is not a
good layout for a website where many of the scripts are common to
several roles, but not all scripts are common to all roles. I intend to
create User Controls for as much of the code as possible in order to
limit duplicate code.
But I have found a solution to the problem, although I'm not that
pleased with it. It involves creating an extra submenu level for each
item that has to limit access. For example, if I want Admins and Power
Users to access a script called "Admins/Script1.aspx", but I only want
Admins to access a script called "Admins/Script2.aspx", I do the
following.
<siteMapNode url="" title="MainMenu" description="" roles="Admin,Power
Users">
<siteMapNode url="Admins/Script1.aspx" title="Script 1"
description="" roles="Admins,Power Users"/>
<siteMapNode url="" title="Script 2" descripton="" roles="Admins">
<siteMapNode url="Admins/Script2.aspx" title="Add/Update/Delete
Records" description="" roles="Admins"/>
</siteMapNode>
</siteMapNode>
</siteMapNode>
I've created a subdirectory below my web site called Admins. I added
authorization for both roles in my web.config file for that location.
This authorization causes the effect that you saw.
However, it looks like the roles in the sitemap take effect if the url
is blank. If the url is not blank, the authorization in web.config
"adds" the sitemapnode, even if the roles attribute tries to restrict
it. So I create an additional child sitemapnode below the Script2
entry, and leave the url blank in the parent sitemapnode.
It seems to work.
Rob
Jakob Lithner wrote:
First to make myself clear:
I have several roles but we can simplify the case and list three of them:
- Members
- Editors
- Admins
Theyr are not mutually exclusive, so a user in the Editors role also belongs
to the Members role.
You wrote this:
"For navigation node(treeview node, menu item)'s visibility(whether it can
be displayed to a certain user) on navigation controls, it is controlled by
both the <authorization> setting and the "roles" attribute in
<siteMapNode>. And by default, if you have enabled security trimming in
sitemap provider. e.g. (.....)
and you haven't manually specify any "roles" attribute for the
<siteMapNode> in the web.sitemap file. The visibility of each sitemapnode
is (then?) determined by <authorization> setting."
I would like this to be the case, but this is not what happens.
It would be fine if the <authorization> setting was only checked as an extra
security check for nodes that I in the sitemap decided to show.
Instead it ADDS permission so the node is shown where it shouldn't!
I do specify roles="Editors" on one of my nodes.
But this node is visible even for users that don't belong to this role.
I guess it is because I in the web.config specify <allow roles="Members"/>.
I guess the conclusion is that I need to create 10-15 directories to match
all my roles and specify corresponding sections in each web.config. That is a
lot of double work just to ensure the navigation nodes and the files have
corresponding authorizations.
I am pretty sure most people don't solve it like that.
.
- Follow-Ups:
- Re: Authorization based on roles or directory access?
- From: Steven Cheng[MSFT]
- Re: Authorization based on roles or directory access?
- References:
- RE: Authorization based on roles or directory access?
- From: Steven Cheng[MSFT]
- RE: Authorization based on roles or directory access?
- Prev by Date: Re: Authorization based on roles or directory access?
- Next by Date: Re: Position of dynamically added controls
- Previous by thread: Re: Authorization based on roles or directory access?
- Next by thread: Re: Authorization based on roles or directory access?
- Index(es):
Relevant Pages
|
Loading
