Using roles in ASP.NET
|
4:04 AM |
No comments |
Using roles in ASP.NET
In asp.net web application I have restricted users actions depending on their roles like as follow
I have created three tables in database
Tables
Table: Users
UserID Username Password 1 Bob password1 2 Scott password2 3 Jisun password3 4 Sam password4 5 John password5 Table:Groups
GroupID Name 1 Administrators 2 Clerk 3 Manager 4 Cashier Table:Roles
UserID GroupID 1 1 2 2 2 3 3 4 4 3 4 4 In Global.asax file I have written the following
Sub Application_AuthenticateRequest(sender As Object, e As EventArgs) If Request.IsAuthenticated Then 'Determine this user's roles Dim reader As SqlDataReader = _ SqlHelper.ExecuteReader(connection string, _ CommandType.StoredProcedure, "rolesForUser", _ New SqlParameter("@Username", User.Identity.Name)) ' Create an array of role names Dim roleList As New ArrayList Do While reader.Read() roleList.Add(reader("Name")) Loop 'Convert the roleList ArrayList to a String array Dim roleListArray As String() = roleList.ToArray(GetType(String)) 'Add the roles to the User Principal HttpContext.Current.User = _ New GenericPrincipal(User.Identity, roleListArray) End If End Sub And in asp.net code-behind file the following code
If User.IsInRole("Administrator") then ' Display sensitive material ElseIf User.IsInRole("Clerk") then ' Display moderately sensitive material Else ' Display only bland material End If as of now it is working fine. Now a new requirement has araised that to allow the clerk to access some of (but not all) functionalities perfomred by administrator.
Do i need to change my source code to provide above new requirement?
Do I need to do the same again and again when such requirement araises in future ?
or anyother better way I can do please suggest me.
Answer by Robin Day for Using roles in ASP.NET
The code you should change is you asp.net code-behind files.
This should be used to show "Clerks" the additional information they need.
You should not elevate the privelages of a Clerk to that of an Administrator, just give the Clerks the rights they should have.
Answer by alex for Using roles in ASP.NET
As Robin Day has stated, what you'll be changing isn't the roles paradigm you've implemented, but rather the specific functionality a "clerk" has access to. These changes will take place wherever (code-behind, inline code, classes, etc.) you're defining, etc. the actions a clerk is performing.
My next question isn't related to the clerk functionality per se, but have you looked at ASP.NET Membership (and the SqlRoleProvider) and its implementation of roles?
Answer by Sebastian P.R. Gingter for Using roles in ASP.NET
I strongly suggest you take yourself a day's time to investigate the functionality of custom ASP.NET Membership and Roles provider. There are so many tasks that are done 'under the hood' when Membership is used correctly. You can secure whole pages, single navigation nodes (using SiteMapProvider) or even single controls with a one-liner.
Answer by Bermo for Using roles in ASP.NET
You need to decouple your role membership (you have called them groups) from the application code, and move to a permission-based authentication model. This will allow you to change the permissions for each group as future requirements change as you have suggested.
If you want to implement this using your current data model, you will need to create a new permissions table which is related to your groups via a many-to-many table. You should only ever check permissions rather than group membership in your application code. You can simply modify which groups have which permissions via the many-to-many table direct, or put a simple admin interface over the top.
Answer by XIII for Using roles in ASP.NET
ASP.NET has since version 2.0 a great part of standard out of the box functionality which allows you to use Membership and Roles. There are some great resources on how to use the standard functionality:ASP.NET security tutorials.
If you should already have a legacy database then it's quite easy to create a custom provider and plug that in. For example a custom membership provider.
If you're concerned with having multiple databases you can check out this article: Create Membership tables in another database than the standard aspnetdb.mdf.
Answer by PHeiberg for Using roles in ASP.NET
In addition to using an existing implementation of the plumbing code, such as the Membership Provider it might be wise to add an extra level of abstraction in order to make the solution less fragile. If the authorization is widespread it might be wise to map the roles to functionalities and in your code check if any of the user's roles has access to a certain functionality.
If Authorizer.UserHasAccessToFunctionality(user, "Sensitive") Then ' Display sensitive material Else If ... The authorization logic in pseudo code:
public Shared Function UserHasAccessToFunctionality(user as IPrincipal, _ functionality as string) as Boolean functionalities = Authorizationrepository.GetFunctionalityForRoles(user.Roles) Return functionalities.Contains(functionality) End Function The AuthorizationRepository would be loading the functionalities that an array of roles have access to.
In the database you would map the functionalities to the roles that have access to them
Table: Functionalities
ID Name 1 Sensitive 2 Protected 3 Public Table: RoleFunctionalities
Role Functionality 1 1 1 2 2 2 3 3 Fatal error: Call to a member function getElementsByTagName() on a non-object in D:\XAMPP INSTALLASTION\xampp\htdocs\endunpratama9i\www-stackoverflow-info-proses.php on line 72
0 comments:
Post a Comment