asp.net 2.0 menu control shows restricted item

Discussion in 'ASP .Net Security' started by sparkyborder-softwareengineerorg@yahoo.com, May 10, 2006.

  1. Guest

    I've setup the app to disallow the user from clicking to or seeing the
    admin functions.

    The forced-login works on the click-to-the-restricted-pages, but I can
    still see the menu items even when not in the appropriate group.

    I have an Administrators role.

    web.config restricts both the admin directory and the particular file
    in it (redundancy for testing)

    <location path="~/admin">
    <system.web>
    <authorization>
    <allow roles="Administrators" />
    <deny users="*"/>
    </authorization>
    </system.web>

    </location>
    <location path="~/admin/shelters_edit.aspx">
    <system.web>
    <authorization>
    <allow roles="Administrators" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    The role manager is enabled and forms auth is true:
    <roleManager enabled="true"/>
    <authentication mode="Forms" />

    The sitemap provider is enabled
    <siteMap defaultProvider="AspNetXmlSiteMapProvider" enabled="true">

    securityTrimmingEnabled is true

    <providers>
    <remove name="AspNetXmlSiteMapProvider"/>
    <add name="AspNetXmlSiteMapProvider"
    description="SiteMap provider which reads in .sitemap XML files."
    type="System.Web.XmlSiteMapProvider"
    securityTrimmingEnabled="true" siteMapFile="Web.sitemap"/>
    </providers>
    </siteMap>

    .... and yet, even when the user is not logged in to the Administrators
    group the Edit Shelters menu item is visible:
    <siteMapNode url="~/login.aspx" title="Login" description="Login"
    roles="*" >


    <siteMapNode url="~/admin/shelters_edit.aspx"
    title="Edit Shelters"
    description="Edit Shelters/Rescues" roles="Administrators" />

    </siteMapNode>
    , May 10, 2006
    #1
    1. Advertising

  2. hi,

    don't use the ~/ syntax in location elements...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I've setup the app to disallow the user from clicking to or seeing the
    > admin functions.
    >
    > The forced-login works on the click-to-the-restricted-pages, but I can
    > still see the menu items even when not in the appropriate group.
    >
    > I have an Administrators role.
    >
    > web.config restricts both the admin directory and the particular file
    > in it (redundancy for testing)
    >
    > <location path="~/admin">
    > <system.web>
    > <authorization>
    > <allow roles="Administrators" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <location path="~/admin/shelters_edit.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="Administrators" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
    > The role manager is enabled and forms auth is true:
    > <roleManager enabled="true"/>
    > <authentication mode="Forms" />
    > The sitemap provider is enabled
    > <siteMap defaultProvider="AspNetXmlSiteMapProvider" enabled="true">
    > securityTrimmingEnabled is true
    >
    > <providers>
    > <remove name="AspNetXmlSiteMapProvider"/>
    > <add name="AspNetXmlSiteMapProvider"
    > description="SiteMap provider which reads in .sitemap XML files."
    > type="System.Web.XmlSiteMapProvider"
    > securityTrimmingEnabled="true" siteMapFile="Web.sitemap"/>
    > </providers>
    > </siteMap>
    > ... and yet, even when the user is not logged in to the Administrators
    > group the Edit Shelters menu item is visible:
    > <siteMapNode url="~/login.aspx" title="Login" description="Login"
    > roles="*" >
    > <siteMapNode url="~/admin/shelters_edit.aspx"
    > title="Edit Shelters"
    > description="Edit Shelters/Rescues" roles="Administrators" />
    > </siteMapNode>
    >
    Dominick Baier [DevelopMentor], May 10, 2006
    #2
    1. Advertising

  3. Guest

    Not sure why that's suggested.

    The menu lives in the controls directory. When the web.sitemap binds to
    it without the ~/ the system attempts to find everything with controls/
    as root.

    Removing the tilde slash had no effect on the protected menu
    visibility.
    , May 13, 2006
    #3
  4. if you try to access a protected subdirectory - does the authorization element
    work?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Not sure why that's suggested.
    >
    > The menu lives in the controls directory. When the web.sitemap binds
    > to it without the ~/ the system attempts to find everything with
    > controls/ as root.
    >
    > Removing the tilde slash had no effect on the protected menu
    > visibility.
    >
    Dominick Baier [DevelopMentor], May 13, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. gce
    Replies:
    0
    Views:
    763
  2. Replies:
    0
    Views:
    1,429
  3. dancer

    CHECKBOX LIST ITEM SHOWS TWICE

    dancer, May 18, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    508
    Alexey Smirnov
    May 19, 2007
  4. mwr

    ASP.Menu in IE6, cannot select menu item when...

    mwr, Jun 16, 2006, in forum: ASP .Net Web Controls
    Replies:
    2
    Views:
    258
  5. Gianni

    IE shows false and Firefox shows true

    Gianni, Jul 10, 2009, in forum: Javascript
    Replies:
    3
    Views:
    448
    Thomas 'PointedEars' Lahn
    Jul 10, 2009
Loading...

Share This Page