How to determine authorized roles for a page?

  • Thread starter Thread starter MyndPhlyp
  • Start date Start date
M

MyndPhlyp

I've been combing through Google trying to find the answer but not luck.

I'm using Forms authentication. Determining what Roles the current user is
in was the easy part (User.IsInRole). But how does one determine what Roles
are permitted to use a particular ASPX page? (.NET 2.0, VS05)
 
Alexey Smirnov said:
I've asked the same question some time ago
http://groups.google.com/group/micr...aspnet/browse_thread/thread/35b6bd15d86528b2/
Click to expand...

We appear to be on a parallel path. (thanks for the corrective posting in
the other NG.) I noticed WebConfigurationManager before prowling through
Google and the NGs. I too am understandably resistant to that approach.
Seems as though the desired method should be available. After all, what
method does .NET call to determine a user's ability, or lack thereof, to
access a page?
 
As Alexey was implying in the post in the link that was included, parsing
the web.sitemap might be a way to do that. If you include the roles tag for
you pages, you can determine the roles that are allowed for a giving page.
It's a pain but it's a way to do it. You can use the HTTPConext to get at
the current user.

HTH
S
 
As Alexey was implying in the post in the link that was included, parsing
the web.sitemap might be a way to do that. If you include the roles tag for
you pages, you can determine the roles that are allowed for a giving page.
It's a pain but it's a way to do it. You can use the HTTPConext to get at
the current user.
Click to expand...

using System.Web.Configuration;

Configuration config =
WebConfigurationManager.OpenWebConfiguration(url);
AuthorizationSection configSection =
(AuthorizationSection)config.GetSection("system.web/authorization");
AuthorizationRuleCollection rules = configSection.Rules;

CommaDelimitedStringCollection allowed = new
CommaDelimitedStringCollection();
CommaDelimitedStringCollection denied = new
CommaDelimitedStringCollection();

for (int i = 0; i < rules.Count; i++)
{
if (rules.Roles.Count > 0)
{
if (rules.Action.ToString() == "Allow")
allowed.AddRange(rules.Roles.ToString().Split(','));
else if (rules.Action.ToString() == "Deny")
denied.AddRange(rules.Roles.ToString().Split(','));
}
}

Response.Write("Allowed Roles: " + allowed.ToString());
Response.Write("<br />");
Response.Write("Denied Roles: " + denied.ToString());

Note, the url value can be a path to a directory, like "/admin", or a
path to the file, like "/admin/default.aspx". To find if roleName
"IsInRoles", simply use the Contains() method, e.g.
allowed.Contains("roleName").

Enjoy.
 
Nice.

S

Alexey Smirnov said:
As Alexey was implying in the post in the link that was included, parsing
the web.sitemap might be a way to do that. If you include the roles tag
for
you pages, you can determine the roles that are allowed for a giving
page.
It's a pain but it's a way to do it. You can use the HTTPConext to get at
the current user.
Click to expand...

using System.Web.Configuration;

Configuration config =
WebConfigurationManager.OpenWebConfiguration(url);
AuthorizationSection configSection =
(AuthorizationSection)config.GetSection("system.web/authorization");
AuthorizationRuleCollection rules = configSection.Rules;

CommaDelimitedStringCollection allowed = new
CommaDelimitedStringCollection();
CommaDelimitedStringCollection denied = new
CommaDelimitedStringCollection();

for (int i = 0; i < rules.Count; i++)
{
if (rules.Roles.Count > 0)
{
if (rules.Action.ToString() == "Allow")
allowed.AddRange(rules.Roles.ToString().Split(','));
else if (rules.Action.ToString() == "Deny")
denied.AddRange(rules.Roles.ToString().Split(','));
}
}

Response.Write("Allowed Roles: " + allowed.ToString());
Response.Write("<br />");
Response.Write("Denied Roles: " + denied.ToString());

Note, the url value can be a path to a directory, like "/admin", or a
path to the file, like "/admin/default.aspx". To find if roleName
"IsInRoles", simply use the Contains() method, e.g.
allowed.Contains("roleName").

Enjoy.
Click to expand...
 
Alexey Smirnov said:
using System.Web.Configuration;

Configuration config =
WebConfigurationManager.OpenWebConfiguration(url);
AuthorizationSection configSection =
(AuthorizationSection)config.GetSection("system.web/authorization");
AuthorizationRuleCollection rules = configSection.Rules;

CommaDelimitedStringCollection allowed = new
CommaDelimitedStringCollection();
CommaDelimitedStringCollection denied = new
CommaDelimitedStringCollection();

for (int i = 0; i < rules.Count; i++)
{
if (rules.Roles.Count > 0)
{
if (rules.Action.ToString() == "Allow")
allowed.AddRange(rules.Roles.ToString().Split(','));
else if (rules.Action.ToString() == "Deny")
denied.AddRange(rules.Roles.ToString().Split(','));
}
}

Response.Write("Allowed Roles: " + allowed.ToString());
Response.Write("<br />");
Response.Write("Denied Roles: " + denied.ToString());

Note, the url value can be a path to a directory, like "/admin", or a
path to the file, like "/admin/default.aspx". To find if roleName
"IsInRoles", simply use the Contains() method, e.g.
allowed.Contains("roleName").
Click to expand...


Thanks. Maybe some day, roughly around the same time pigs fly and hell
freezes over, M$ will get around to exposing the method and save us the
trouble (and overhead) of parsing out the web.config.

Who would ever have thought anybody would want to send an authenticated user
back to their previous page, rather than a "not allowed" or login page, if
the user is unauthorized to use the requested page?
 
Who would ever have thought anybody would want to send an authenticated user
back to their previous page, rather than a "not allowed" or login page, if
the user is unauthorized to use the requested page?- Hide quoted text -
Click to expand...

It has to be checked on the page

if (!User.IsInRole("Manager") {
Response.Redirect("/");
}
 
Back
Top