Last post Jul 14, 2014 11:02 AM by tmlld
Jul 11, 2014 07:58 PM|tmlld|LINK
I have a site that uses Windows Authentication and a sitemap with security trimming enabled and routing. There are top level folders called "Admin", "Reports", and "Program". The Reports folder is restricted to certain roles and the Program folder is open
to all users. I want to restrict access to the pages in Admin to certain users. So I added the following to my Web.config:
<allow users="dom\user1, dom\user2, dom\user3" />
<deny users="*" />
If I login as a user with access to Admin the link (e.g. adminuser) to the Admin page appears in the menu and I can access the page. If login as user without access to Admin, but a Reports role (e.g. reportsuser), the link to the Admin page does not appear
in the menu and if I type in the URL it prompts for credentials before denying access. So far so good!
The problem is when I login as a user without Admin access and without a Reports role (e.g. only Program items should be visible in the menu - "programuser"). I get a runtime error with a
Object reference not set to an instance of an object. The stack trace looks like this:
at SCL.Site.MainNavigationMenu_PreRender(Object sender, EventArgs e)
at System.Web.UI.WebControls.Menu.OnPreRender(EventArgs e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Looks like some problem generating the menu. I tried changing the location element from path="Admin" to path="~/Admin". The error for programuser did not occur, but everyone could access the
Admin page and it appears in the menu for reportsuser.
I also tried changing the location element from path="Admin" to path="Admin/SiteReport.aspx". No error, but the link to the Admin page appears in the menu for reportsuser, and when reportsuser
or programuser tries to access the page the following error occurs: System.Web.HttpException - Exception message: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources.
Finally, I changed the name of the Admin folder to "Admin1" and updated the sitemap and routes in Global.asax.cs accordingly. Everything works as expected (Admin menu item is not visible for reportsuser and access to the Admin page is denied for reportsuser
The thing that bugs me is why? Is "Admin" some kind of reserved word or special object name?
Thanks for your help...
Jul 14, 2014 11:02 AM|tmlld|LINK
I found a resolution. There was some custom code in MainNavigationMenu_PreRender.