"Pattern" or "best practice" in security checks

Discussion in 'ASP .Net' started by Anders K. Jacobsen [DK], Dec 5, 2004.

  1. Hi

    Im developing an ASP.NET CRUD application where i need to do some
    authorization checks on surden actions. Eg. some account have access to
    delete in a sudden datagrid and some have not. So I have to be more detailed
    that on page level. Rather component level.

    This ends up, as I see now, in a alot of checks in the different involed
    events. Further I have to adjust the view so that actually can't delete in a
    sudden datagrid. This is of course not secure enough so therefore the checks
    in the events.

    This just sounds like a plain nightmare to maintain and develope. Do you
    have a clever suggestion to this issue? I guess it's not the first time this
    have come up.

    To summerize. I want to avoid this.

    private void datagrid_DeleteCommand(object source, DataGridCommandEventArgs
    e)
    {
    if(User.IsInRole("Admin") || User.IsInRole("Developer"))
    {
    long currentid = Int64.Parse(((Label)e.Item.FindControl("lblid")).Text);
    _Service.DeleteItem(currentid);
    Databind_datagrid();
    }
    }

    Thanks in regards
    Anders, Denmark
     
    Anders K. Jacobsen [DK], Dec 5, 2004
    #1
    1. Advertising

  2. I would create a simple permission manager with an XML or database store.
    You could simply call something like this:

    PermissionManager.HasPermission("Delete", theRowsID);

    and it would return a bool stating whether the current user has the
    permission to delete that current object. I would then take advantage of the
    ItemCreated event of the DataGrid and hide the Delete LinkButton for any
    rows that the current user shouldn't be able to delete. You'll still need
    code in the DeleteCommand like you posted, only you could use a
    PermissionManager setup for easier management.

    Here's an example PermissionManager, although it is developed for the .NET
    2.0 framework:
    http://www.gotdotnet.com/Community/Workspaces/Workspace.aspx?id=762350f9-7d40-44ca-8ec0-4655e1a7682b

    Hope this helps,
    Johann MacDonagh

    "Anders K. Jacobsen [DK]" <> wrote in message
    news:...
    > Hi
    >
    > Im developing an ASP.NET CRUD application where i need to do some
    > authorization checks on surden actions. Eg. some account have access to
    > delete in a sudden datagrid and some have not. So I have to be more
    > detailed
    > that on page level. Rather component level.
    >
    > This ends up, as I see now, in a alot of checks in the different involed
    > events. Further I have to adjust the view so that actually can't delete in
    > a
    > sudden datagrid. This is of course not secure enough so therefore the
    > checks
    > in the events.
    >
    > This just sounds like a plain nightmare to maintain and develope. Do you
    > have a clever suggestion to this issue? I guess it's not the first time
    > this
    > have come up.
    >
    > To summerize. I want to avoid this.
    >
    > private void datagrid_DeleteCommand(object source,
    > DataGridCommandEventArgs
    > e)
    > {
    > if(User.IsInRole("Admin") || User.IsInRole("Developer"))
    > {
    > long currentid =
    > Int64.Parse(((Label)e.Item.FindControl("lblid")).Text);
    > _Service.DeleteItem(currentid);
    > Databind_datagrid();
    > }
    > }
    >
    > Thanks in regards
    > Anders, Denmark
    >
    >
    >
    >
     
    Johann MacDonagh, Dec 6, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patrick.O.Ige
    Replies:
    0
    Views:
    402
    Patrick.O.Ige
    Sep 30, 2005
  2. Steve B.

    Best Practice Security

    Steve B., Jan 25, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    525
    =?Utf-8?B?RGFsZQ==?=
    Jan 26, 2006
  3. js
    Replies:
    6
    Views:
    359
    Mark Jeffcoat
    Nov 22, 2006
  4. Anders K. Jacobsen [DK]

    "Pattern" or "best practice" in security checks

    Anders K. Jacobsen [DK], Dec 5, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    151
    Anders K. Jacobsen [DK]
    Dec 5, 2004
  5. Martin DeMello
    Replies:
    1
    Views:
    92
    Sylvain Joyeux
    Feb 25, 2008
Loading...

Share This Page