S
sparkyborder-softwareengineerorg
I've setup the app to disallow the user from clicking to or seeing the
admin functions.
The forced-login works on the click-to-the-restricted-pages, but I can
still see the menu items even when not in the appropriate group.
I have an Administrators role.
web.config restricts both the admin directory and the particular file
in it (redundancy for testing)
<location path="~/admin">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="~/admin/shelters_edit.aspx">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
The role manager is enabled and forms auth is true:
<roleManager enabled="true"/>
<authentication mode="Forms" />
The sitemap provider is enabled
<siteMap defaultProvider="AspNetXmlSiteMapProvider" enabled="true">
securityTrimmingEnabled is true
<providers>
<remove name="AspNetXmlSiteMapProvider"/>
<add name="AspNetXmlSiteMapProvider"
description="SiteMap provider which reads in .sitemap XML files."
type="System.Web.XmlSiteMapProvider"
securityTrimmingEnabled="true" siteMapFile="Web.sitemap"/>
</providers>
</siteMap>
.... and yet, even when the user is not logged in to the Administrators
group the Edit Shelters menu item is visible:
<siteMapNode url="~/login.aspx" title="Login" description="Login"
roles="*" >
<siteMapNode url="~/admin/shelters_edit.aspx"
title="Edit Shelters"
description="Edit Shelters/Rescues" roles="Administrators" />
</siteMapNode>
admin functions.
The forced-login works on the click-to-the-restricted-pages, but I can
still see the menu items even when not in the appropriate group.
I have an Administrators role.
web.config restricts both the admin directory and the particular file
in it (redundancy for testing)
<location path="~/admin">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="~/admin/shelters_edit.aspx">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
The role manager is enabled and forms auth is true:
<roleManager enabled="true"/>
<authentication mode="Forms" />
The sitemap provider is enabled
<siteMap defaultProvider="AspNetXmlSiteMapProvider" enabled="true">
securityTrimmingEnabled is true
<providers>
<remove name="AspNetXmlSiteMapProvider"/>
<add name="AspNetXmlSiteMapProvider"
description="SiteMap provider which reads in .sitemap XML files."
type="System.Web.XmlSiteMapProvider"
securityTrimmingEnabled="true" siteMapFile="Web.sitemap"/>
</providers>
</siteMap>
.... and yet, even when the user is not logged in to the Administrators
group the Edit Shelters menu item is visible:
<siteMapNode url="~/login.aspx" title="Login" description="Login"
roles="*" >
<siteMapNode url="~/admin/shelters_edit.aspx"
title="Edit Shelters"
description="Edit Shelters/Rescues" roles="Administrators" />
</siteMapNode>