Hi,

I have written a custom SiteMapProvider and a custom RoleProvider.

My problem is that there is one Site that should only be visible in the Menu which is bound to the custom SiteMapProvider for members of a special role. But it is always visible also for users of other roles.

The role provider seems to and the SiteMapProvider, too. I have overriden the IsAccessibleByUser Method of the SiteMapProvider and for that specific user who is not a member of the role and the node which should be invisible the method returns false - as expected. For the other nodes that should be visible for that user/role it returned true.
I set a breakpoint and so I was able to make sure that both providers were involved.
Btw. securityTrimmingEnabled is set to true in the web.config, of course.

Now my question is why that Menu control shows the node where the result is false?

Do I have to handle the result of the IsAccessibleByUser in the FindSiteMapNode, GetChildNodes and GetParentNode methods myself? I thought ASP.Net does, no?

Thanks for your help in advance.

Regards Alex
 

 Did you enable security trimming for the sitemap?

<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
  <providers>
    <add name="XmlSiteMapProvider"
      description="Default SiteMap provider."
      type="System.Web.XmlSiteMapProvider"
      siteMapFile="Web.sitemap"
      securityTrimmingEnabled="true" />
  </providers>
</siteMap>

Thanks for your answer, Ken.

Yes, I did. My web.config looks like this:

    <siteMap enabled="true" defaultProvider="MySiteMapProvider">
      <providers>
        <clear/>
        <add name="MySiteMapProvider"
             description="MySiteMapProvider."
             type="SiteMapTest.MySiteMapProvider "
             securityTrimmingEnabled="true" />
      </providers>
    </siteMap>
    <roleManager enabled="true" defaultProvider="MyRoleProvider">
      <providers>
        <clear/>
        <add name="MyRoleProvider"
             type="SiteMapTest.MyRoleProvider"
             applicationName="SiteMapTest"/>
      </providers>
    </roleManager>

 
The code of MySiteMapProvider looks like this:

01     Public Overloads Overrides Function FindSiteMapNode(ByVal rawUrl As String) As System.Web.SiteMapNode
02         Return buildNode(rawUrl)
03     End Function
04
05
06     Public Overrides Function GetChildNodes(ByVal node As System.Web.SiteMapNode) As System.Web.SiteMapNodeCollection
07         Dim colSmn As New SiteMapNodeCollection
08         Dim newNode As SiteMapNode
09         If node.Key = "Home" Then
10            colSmn.Add(buildNode("Content1"))
11
12            colSmn.Add(buildNode("Content2"))
13
14            colSmn.Add(buildNode("ContentX"))
15        End If
16        Return colSmn
17    End Function
18
19
20    Public Overrides Function GetParentNode(ByVal node As System.Web.SiteMapNode) As System.Web.SiteMapNode
21        If node.Key = "Home" Then
22            Return Nothing
23        Else
24            Return Me.RootNode
25        End If
26    End Function
27
28
29    Protected Overrides Function GetRootNodeCore() As System.Web.SiteMapNode
30        Return buildNode("Home")
31    End Function
32
33
34    Public Overrides Function IsAccessibleToUser(ByVal context As System.Web.HttpContext, ByVal node As System.Web.SiteMapNode) As Boolean
35        If (node Is Nothing) Then
36            Throw New ArgumentNullException("node")
37        End If
38
39        If (context Is Nothing) Then
40            Throw New ArgumentNullException("context")
41        End If
42
43        If (Not Me.SecurityTrimmingEnabled) Then
44            Return True
45        End If
46
47        If ((node.Roles IsNot Nothing) OrElse (node.Roles.Count > 0)) Then
48            For Each role As String In node.Roles
49                If (Not String.Equals(role, "*", StringComparison.InvariantCultureIgnoreCase) _
50                And ((context.User Is Nothing) _
51                Or Not context.User.IsInRole(role))) Then
52                    Continue For
53                End If
54                Return True
55            Next
56            Return False
57        End If
58    End Function
59
60
61    Private Function buildNode(ByVal key As String) As SiteMapNode
62        Dim smnNew As SiteMapNode = Nothing
63        Dim roles As IList
64
65        If key.Contains("Home") Then
66            smnNew = New SiteMapNode(Me, "Home", "Home.aspx", "Home Title", "Home Desc")
67            roles = New List(Of String)
68            roles.Add("*")
69            smnNew.Roles = roles
70        ElseIf key.Contains("Content1") Then
71            smnNew = New SiteMapNode(Me, "Content1", "Content1.aspx", "Content1 Title", "Content1 Desc")
72            roles = New List(Of String)
73            roles.Add("RoleOk1")
74            roles.Add("RoleOk2")
75            smnNew.Roles = roles
76        ElseIf key.Contains("Content2") Then
77            smnNew = New SiteMapNode(Me, "Content2", "Content2.aspx", "Content2 Title", "Content2 Desc")
78            roles = New List(Of String)
79            roles.Add("RoleOk1")
80            roles.Add("RoleOk2")
81            smnNew.Roles = roles
82        ElseIf key.Contains("ContentX") Then
83            smnNew = New SiteMapNode(Me, "ContentX", "ContentX.aspx", "ContentX Title", "ContentX Desc")
84            roles = New List(Of String)
85            roles.Add("RoleX")
86            smnNew.Roles = roles
87        End If
88
89        Return smnNew
90    End Function

The user is not a member of "RoleX" so the "ContentX" node should not appear, no?! - If I debugg it for my user and node "ContentX" it runs to line 56 and returns false.
So where's my mistake?


 

Have you got the autorization set correctly in web.config? The roles attribute on site map nodes doesn't restrict visibility of the node; this is done within the <authorization> section.