Dear forums,

I would like to restrict user rights by hiding controls on the page based on membership. "Theoretically", this would make it impossible for those controls to raise events on the server side. However, I wonder if a malicious user could raise those events by instantiating the controls on the client side anyway (e.g. XSS).

Sample scenario: There is a button on the page that is enabled / visible only if user is member of a certain role (rights checked on Page Load event).
Can disabling/hiding the button be bypassed by some tricky way of postback that would invoke the associated click event anyway?

Thanks for advice.

You're safe... as long as you hide those controls OnInit... they will not fire events.

Please mark this post as the "answer" if it meets your needs :)

In ASP.NET 2, when a control is rendered, all of its valid events get registered.  If an event is raised that was not registered, an exception is thrown (assuming the Page EnableEventValidation is no set to false).  So, if a button is not visible, it's events can't be raised.

Hope that helps.

Aaron