Secure Dynamic Data Site RSS

Steve, I want to thank you for your remarks. Please, feel free to modify my example and let us know what you can come up with.

Remember that the two basic design principles I adopted are as follows:

1.      Use ASP.NET Forms Authentication to discriminate the user's roles.

Everything you do in terms of authentication such as modify permissions, if I understand you correctly, must be integrated I believe with ASP.NET authentication mechanism.

2.      Use ASP.NET Dynamic Data to authorize authenticated users to perform tasks at lower level, tasks only understood by Dynamic Data. Probably the centralization of field security should be done at this level. May be you can expand on this: I'm still looking into a way of centralizing the Field Security.

Thanks,

Michael (aka veloce)

Yes I understand the principals have a look at this post Dynamic Data - Default FieldGenerator which I think could be the way forward for Field Security.

[:D]

Hi

Thanks heaps for sample, I have implemented on my site and it works ok.  I had a couple of questions.

Delete is only available for the role tagged as 'administrator' How would I go about allowing other user roles to have delete access on certain tables?  I tried adding the 'Delete' action in attributes but it didn't work.

[Security(Role = "Anonymous", Action = "AnonymousList")]
[Security(Role = "Developer", Action = "List")]
[Security(Role = "Developer", Action = "Details")]
[Security(Role = "Rule Author", Action = "List")]
[Security(Role = "Rule Author", Action = "Details")]
[Security(Role = "Rule Author", Action = "Edit")]
[Security(Role = "Rule Author", Action = "Delete")]
public partial class BehaviourDocument
{

}

Michael

 Hi Mdausmann, I'll have a look at my sample and get back you.

 Hi Mdausmann, in this sample from Veloce, you have to be admin to get delete facility you will need to look at the test on each page e.g. List page:

// Enable delete button only to allowed users.
private void SetDelete(TableRow row)
{
    // Instantiate the SecurityInformation
    // utility object.
    DynamicDataSecurity secInfo =
      new DynamicDataSecurity();


    foreach (Control c in row.Cells[0].Controls)
    {
        // Deny delete capability to users that are
        // not administrators
        if (!secInfo.IsUserInAdmimistrativeRole() &&
          secInfo.IsUserInAuthenticatedRole())
        {
            // Do not allow delete.
            LinkButton btn = c as LinkButton;
            if (btn != null &&
                btn.CommandName ==
                DataControlCommands.DeleteCommandName)
            {
                btn.Visible = false;
                btn.OnClientClick = null;
                btn.Enabled = false;
            }
        }
    }
}

if you note the statement:

if (!secInfo.IsUserInAdmimistrativeRole() &&
          secInfo.IsUserInAuthenticatedRole())

you will need to change the !secInfo.IsUserInAdmimistrativeRole() to some other test the will test that will check for a role with delete.

Hope that makes sense [:D]

The example of a Secure Dynamic Data Site Use CustomDynamicDataRouteHandler to achieve security,but how to transport data of session to CustomDynamicDataRouteHandler? I need transport custom logined user infomation to CustomDynamicDataRouteHandler.

Thanks.

 Hi Zzdfc, I'm working on a simplified sample based on Veloces work, I should have part 1 ready early this week.

 Hi sjnaughton:

       I have read your article "Securing Dynamic Data Preview 4 Refresh – Part 1",but it don't demo how to transport  session data to CustomDynamicDataRouteHandler? I need transport custom logined user infomation to CustomDynamicDataRouteHandler,example:

Roles 、Permissions  and orgnization of the logined user.