Permission check for secured subfolders?

[TK]

I'm building an ASP.NET application works in Forms Authentication mode with
custom user account database. And it shows clients a list of hyperlinks to
content pages located in some separated subfolders. This application and
content pages are entirely secured, so everyone must logon to the
application. The application pages and most of content pages are accessible
for every authenticated clients but some of content pages in some specific
subfolders are served for specific users and groups only. I'm using URL
authorization to achieve this. Everything works fine now.

Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
contents from the contents list page. To do this, I want to test client's
access right for every subfolders at server side Page_Load() function, so
that avoid client user's useless operation. I don't want to show clients the
access forbidden message any more.

How can I do it?
Help me please.

best regards,
TK

 

[David Coe, MCAD]

It seems like there are a couple options to what you are trying to accomplish. You can either set up the relationships on the database side. IE, user A belongs to group A. Group A has links 1,2,3,4 associated with it. Get the group name associated with the user at login, then get the appropriate links. OR, you could hold a Session variable that checks the user group/link association, and only display the links associated with each group by showing and hiding panels.

 

[TK]

Thank you David.

I agree with your advise, but it seems not be a smart solution because I
have to implement access controlling functionality by myself moreover we
have the URL authorization mechanizm built in ASP.NET. I'm looking for a way
to easily and quickly test the URL authorization settings in each subfolders
for each clients/groups at server side.

Any idea?
TK

It seems like there are a couple options to what you are trying to

accomplish. You can either set up the relationships on the database side.
IE, user A belongs to group A. Group A has links 1,2,3,4 associated with
it. Get the group name associated with the user at login, then get the
appropriate links. OR, you could hold a Session variable that checks the
user group/link association, and only display the links associated with each
group by showing and hiding panels.

 

[Andy Mortimer [MS]]

It's the UrlAuthorizationModule which will be able to build up the groups
and users which can access a particular folder. Unfortunately there isn't
any API presented by it. The only way I can think of at present is to built
up a webrequest and try and hit the various sub folders. However I'v been
trying to implement something along these lines myself, but haven't had any
success as yet.

 

[TK]

Thank you very much Andy.

You gave me an important fact that there isn't any APIs match to my
requirement.
I'll consider if it will be a worth effort to implementing all by myself.

thanks again,
TK

 

[Andy Mortimer [MS]]

Ok, we seem to have worked it out. Aparrently, the word is, you should be
restricting your url's in your top level web.config using the <location>
element structure .

Then you need to create a Role for each subfolder, FolderA FolderB etc.

Then you use that role in the web.config to allow access. (then you never
touch that part again).

To allow people access to the folder, you then just add them to the
appropriate role.

To then dynamically test for access to folders you use IsInRole. Now
normally that would just check for membership of the role i.e. if UserA is
in FolderB role, so we override the IsInRole and have something like:-

public override bool IsInRole(string Role)
{
switch(Role)
{
Case "FolderA":
return test for folder
permissions
Break;
Case "FolderB":
return test for folder
permissions
Break;
Default:
Return base.IsInRole(Role)
Break;
}
}

Now the bit above where it says test for folder permissions, should be
implemented by creating your own section handler using the provided
framework classes, to read the auth section of your web.config file
(because our auth is now in our top level web.config.)

So, the roles are put in web.config, and the above switch is written, then
that code never changes (unless you add further folders and roles). To
add/remove people access to folders, you just add/remove them to
appropriate role and thejob is done.

Hope that helps.

Andy