Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Feb 29, 2012 10:26 AM by ckonig
Feb 22, 2012 02:52 PM|LINK
I'm building a website that needs to restrict access to functionalities/pages depending on the user/role.
I'm building upon asp.net membership schema with users/roles.
My problem is that I want to have a web page where the admin configures access to the various functionalities where he has a list of functionalities with checkboxes for each one and selects what that particular user can access.
If I do this with roles how can I define access in run time to the several pages/folders (I know that we can do this with the web.config).
If someone has a better idea on how to implement this please let me know.
Feb 22, 2012 05:18 PM|LINK
If you're using the built-in functionality, check this out:
Feb 22, 2012 06:18 PM|LINK
if you're using ASP.NET MVC you should have a look at this
Feb 23, 2012 03:47 PM|LINK
I have seen some different ways to control user/role access to webpages.
I have 4/5 functionalities that I want to limit access so I was thinking to divide them in to folders and limit access with web.config file and editing the file at run time just like the asp.net configuration does.
This way I have all the flexibility I want. I can assign users/roles to the various functionalities but I've read that everytime we change web.config the server restarts the application.
Feb 24, 2012 12:20 PM|LINK
You are correct, any time you modify code in the app_code folder, bin folder or make modifications to the web.config file the application restarts. See my previous post. It works great for using the built in functionality and takes very little to implement.
Feb 27, 2012 05:08 PM|LINK
I'm using the built in functionality, the default membership provider.
I didn't understand, did you suggest that I implement the aproach of modifying the web.config file?
If so doesn´t the app restart affect user interaction?
Feb 27, 2012 07:22 PM|LINK
There are a few ways of going about implementing folder level security, modifying the web.config is one of them. The other way is to programatically assign your users to roles and check those roles prior to giving access to those folders/pages. This way
stores all the users, roles and user's roles in the database and requires no web.config files in any of the sub folders.
Access is specified within your program. In fact, you could simply setup a method called public bool CheckAccess(string UserName) which would:
You could also store a link between roles and folder access in the database as well. You'd have to create the table and schema as it doesn't exist.
Feb 28, 2012 08:15 AM|LINK
Yes, b471 has it; that's the best method if possible. Assign a fixed set of roles and authorization for those roles (via folders & web.config files and/or location). Then it's just a matter of adding or removing users from the roles, in which case no web.config
changes take place, so no app restarts.
If you really need a more flexible system, then it gets complex. You could store all of the authorization details in, for example, a database, but you'd need to create a custom RoleManager and Authorization provider.
Feb 29, 2012 10:26 AM|LINK
I am currently planning a system with MVC3, and I really don't like the code-based restrictions that Microsoft suggests to use.
I also want to define access in run time. Therefore I use Reflection and store representations of my controllers and methods in the database, which I then associate with the Roles.