XmlSiteMapProvider: How to hide siteMapNode to a certain role?

[Max2006]

Hi,

I need to hide a series of siteMapNodes to certain roles. That means roles
have access to the siteMapNode, but the node doesn't appear on the
navigation menu. I'll use Response.Redirect to jump to hidden pages.

How can I do that? I tried securityTrimmingEnabled="true" in my web.config.
But it doesn't help because the pages are accessible to the roles. I just
want to hide the pages from the main menu when certain roles login

Any help would be appreciated,
Max

 

[Cowboy \(Gregory A. Beamer\)]

You want these people to be able to use the page, but only if they are very
good at hacking? Or, you only want certain roles to use the page period?

If you want to hide them, you will have to create a custom sitemap provider
that allows you to hide pages people can actually hit.

If you want them to be unaccessible, you can add the roles to the sitemap
file and then make them inaccessible in the web.config file in that folder.

 

[Steven Cheng[MSFT]]

Hi Max,

I agree with Gregory, if you want to customize the sitemapnode's displaying
based on authorization roles, the "Securiy Trimming" feature of ASP.NET
2.0 does be a reasonable choice:

#ASP.NET Site-Map Security Trimming
http://msdn2.microsoft.com/en-us/library/ms178428.aspx

here is a good example demonstrate the security trimming from Scott's blog:

#Recipe: Implementing Role Based Security with ASP.NET using Windows
Authentication and SQL Server
http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-
Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server
..aspx

In addition, you may found that the actual accessing role calculation (how
to sitemapnode will be display or hide) a bit complex. Here are some former
threads where I've provide some description on this:

http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet.webc
ontrols/browse_thread/thread/7fa4e5b66ff5ca4f/606205d014ee3043

http://groups.google.com/group/microsoft.public.vsnet.general/browse_thread/
thread/8334f625070c8b74/b05d7462f0bf2731

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Max2006]

Hi Steven and George,



The security trimming doesn't help.



I guess I didn't explain the situation properly. We have two roles in our
site. (admin and user) They both have access to all of Wizard pages
(Wiz1.aspx, Wiz2.aspx .. Wiz15.aspx) Our application has logic to jump
between Wizard pages. Our users will use all 15 wizard pages and jump
between them back and force. ***We do not want them to see the 15 wizard
pages on the left hand navigation menu.***



So far everything is nice. I know that we can easily exclude Wiz1.aspx,
Wiz2.aspx .. Wiz15.aspx from web.sitemap file, But bere is the problem:
Based on the requirement, the site admin user (admin role) needs to see all
wizard pages (Wiz1.aspx, Wiz2.aspx .. Wiz15.aspx) on the left side
navigation.



In essence, this is not matter of access right. Both roles have perfect
access to all pages. We just want to hide some of the pages for non-admin
users.



What would be the easiest way to achieve that? I prefer to use navigation
provider features.



BTW: I simplified the situation to explain my question. The actual scenario
is much more complex.



Thank you,

Max

 

[Steven Cheng[MSFT]]

Thanks for your reply Max,

Well, I've got your actual requirement now. Yes, you're right, the
security-trimming's functionality is different from what you expect.
Actually security-trimming will allow you to make more pages that can be
viewed by users(originally can not view according to url authorization).
However, what you need is hide some pages which originally can be viewed by
certain users(according to url authroization roles), right?

So far I think the built-in sitemapprovider's feature can not afford this.
What I can get now if use the Item's databinding event, such as
"TreeView.TreeNodeDataBound" event. You can add code there and change the
Text or other properties of the TreeNode( according to the current binding
url value) as to to not display the original value(but can not remove it).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Max2006]

Thank you Steven. I did that and I got the result I was looking for.

Thanks again, Max

 

[Steven Cheng[MSFT]]

You're welcome Max!

I'm glad to be of assistance.

Have a nice day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead