ASP.NET Dynamic Data

Re: Secure Dynamic Data Site

sjnaughton — Wed, 15 Jul 2009 18:11:36 GMT

At first I tried populating the session variable in the Login page but then the Session was empty so I decided to get them in the page that I get reirected to I think you need to force the session to be populated on a new page otherwise session will be empty.

Re: Secure Dynamic Data Site

zzdfc — Wed, 15 Jul 2009 14:55:18 GMT

Hi sjnaughton:

I hope get your sample of session,thank you very much!

I use session to save user's permissions 、roles and infomation because user's permissions 、roles and infomation is from database, not is from attributes and metadata.

I don't know if it have else method to save data in entire session lifecycle.

In my program, I get session populated in first page,but session is null when it turn to list.aspx、detail.aspx、edit.aspx，I have tested many times.

Thanks!

Re: Secure Dynamic Data Site

sjnaughton — Wed, 15 Jul 2009 10:26:28 GMT

Hi Zzdfc, I've just tested it on my sample and I get Session populated, I think it may be when you are setting the session, but why are you using Session anyway?

If you e-mail me I can give you my sample working.

Re: Secure Dynamic Data Site

sjnaughton — Tue, 14 Jul 2009 16:39:55 GMT

OK I get what you mean now I'll have a look into it and see if anything can be done.

Re: Secure Dynamic Data Site

zzdfc — Tue, 14 Jul 2009 15:58:40 GMT

public class SecurityDynamicDataRouteHandler : DynamicDataRouteHandler
    {
        public override IHttpHandler CreateHandler(DynamicDataRoute route, MetaTable table, string action)
        {

            HttpContext httpContext = HttpContext.Current;
            string userName= httpContext.Session["UserName"].ToString();
            string userID= httpContext.Session["UserID"].ToString();
            string isAdmin= httpContext.Session["IsAdmin"].ToString();
            if(isAdmin==true)
           {
                   .........
            }
            else
           {
             .........
            }

return null;

}
}

but data of httpContext.Session alaways is null,how to do?

thanks.

Re: Secure Dynamic Data Site

sjnaughton — Tue, 14 Jul 2009 13:56:11 GMT

Hi Zzdfc, I'm not sure I understand what you are trying to do, could you explain in a little more detail and I will try to create a sample that demostraits it.

Re: Secure Dynamic Data Site

zzdfc — Tue, 14 Jul 2009 13:41:24 GMT

Hi sjnaughton:

I have read your article "Securing Dynamic Data Preview 4 Refresh – Part 1",but it don't demo how to transport session data to CustomDynamicDataRouteHandler? I need transport custom logined user infomation to CustomDynamicDataRouteHandler,example:

Roles 、Permissions and orgnization of the logined user.

Re: Secure Dynamic Data Site

sjnaughton — Sun, 12 Jul 2009 15:16:10 GMT

Hi Zzdfc, I'm working on a simplified sample based on Veloces work, I should have part 1 ready early this week.

Re: Secure Dynamic Data Site

zzdfc — Sun, 12 Jul 2009 14:32:25 GMT

The example of a Secure Dynamic Data Site Use CustomDynamicDataRouteHandler to achieve security,but how to transport data of session to CustomDynamicDataRouteHandler? I need transport custom logined user infomation to CustomDynamicDataRouteHandler.

Thanks.

Re: Secure Dynamic Data Site

sjnaughton — Sat, 11 Jul 2009 09:02:07 GMT

Hi Mdausmann, in this sample from Veloce, you have to be admin to get delete facility you will need to look at the test on each page e.g. List page:

// Enable delete button only to allowed users.
private void SetDelete(TableRow row)
{
    // Instantiate the SecurityInformation 
    // utility object.
    DynamicDataSecurity secInfo =
      new DynamicDataSecurity();

    foreach (Control c in row.Cells[0].Controls)
    {
        // Deny delete capability to users that are 
        // not administrators
        if (!secInfo.IsUserInAdmimistrativeRole() &&
          secInfo.IsUserInAuthenticatedRole())
        {
            // Do not allow delete.
            LinkButton btn = c as LinkButton;
            if (btn != null &&
                btn.CommandName ==
                DataControlCommands.DeleteCommandName)
            {
                btn.Visible = false;
                btn.OnClientClick = null;
                btn.Enabled = false;
            }
        }
    }
}

if you note the statement:

if (!secInfo.IsUserInAdmimistrativeRole() &&
          secInfo.IsUserInAuthenticatedRole())

you will need to change the !secInfo.IsUserInAdmimistrativeRole() to some other test the will test that will check for a role with delete.

Hope that makes sense

Re: Secure Dynamic Data Site

sjnaughton — Sat, 11 Jul 2009 08:43:59 GMT

Hi Mdausmann, I'll have a look at my sample and get back you.

Re: Secure Dynamic Data Site

mdausmann — Sat, 11 Jul 2009 02:38:49 GMT

Thanks heaps for sample, I have implemented on my site and it works ok. I had a couple of questions.

Delete is only available for the role tagged as 'administrator' How would I go about allowing other user roles to have delete access on certain tables? I tried adding the 'Delete' action in attributes but it didn't work.

[Security(Role = "Anonymous", Action = "AnonymousList")]
[Security(Role = "Developer", Action = "List")]
[Security(Role = "Developer", Action = "Details")]
[Security(Role = "Rule Author", Action = "List")]
[Security(Role = "Rule Author", Action = "Details")]
[Security(Role = "Rule Author", Action = "Edit")]
[Security(Role = "Rule Author", Action = "Delete")]
public partial class BehaviourDocument
{

}

Michael

Re: Secure Dynamic Data Site

sjnaughton — Sat, 08 Nov 2008 18:04:08 GMT

Yes I understand the principals have a look at this post Dynamic Data - Default FieldGenerator which I think could be the way forward for Field Security.

Re: Secure Dynamic Data Site

veloce — Fri, 07 Nov 2008 20:07:21 GMT

Steve, I want to thank you for your remarks. Please, feel free to modify my example and let us know what you can come up with.

Remember that the two basic design principles I adopted are as follows:

1. Use ASP.NET Forms Authentication to discriminate the user's roles.

Everything you do in terms of authentication such as modify permissions, if I understand you correctly, must be integrated I believe with ASP.NET authentication mechanism.

2. Use ASP.NET Dynamic Data to authorize authenticated users to perform tasks at lower level, tasks only understood by Dynamic Data. Probably the centralization of field security should be done at this level. May be you can expand on this: I'm still looking into a way of centralizing the Field Security.

Thanks,

Michael (aka veloce)

Re: Secure Dynamic Data Site

sjnaughton — Fri, 07 Nov 2008 11:33:58 GMT

Hi Veloce, I like your solution although it doesn't have the granularity that some may want, do you mind if I adapt it into my solution here:

Part 1 - Create the database tables.
Part 2 - Add a User Interface to modify the permissions.

Part 3 - User Marcin's InMemoryMetadataProvider to add the database based permissions to the Metadata at runtime.
Part 4 - Add components from A DynamicData Attribute Based Permission Solution using User Roles to consume the database based metadata.
Part 5 - Oops! Table Names with Spaces in them and Pluralization.

Which in turn extends the earlier articles here:

Introduction - A DynamicData Attribute Based Permission Solution using User Roles.

Part 1 - Permissions Attribute (Metadata) Classes.

Part 2 - Sample Metadata for project.

Part 3 - The Helper Extension Methods.

Part 4 - Limit Tables shown on Default page and List, Edit & Details etc.

Part 5 - Generate Columns/Rows (using IAutoFieldGenerator)

Part 6 - Miscellaneous bits

Part 7 - Updating the ListDetails Page

DynamicData - Limit the Filter Fields

DynamicData - Automatic Column Update

I think I could adapt it to do the table part, but I'm still looking into a way of centralising the Field Security.