asp.net 2.0 menu control shows restricted item

  • Thread starter sparkyborder-softwareengineerorg
  • Start date

S

sparkyborder-softwareengineerorg

I've setup the app to disallow the user from clicking to or seeing the
admin functions.

The forced-login works on the click-to-the-restricted-pages, but I can
still see the menu items even when not in the appropriate group.

I have an Administrators role.

web.config restricts both the admin directory and the particular file
in it (redundancy for testing)

<location path="~/admin">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*"/>
</authorization>
</system.web>

</location>
<location path="~/admin/shelters_edit.aspx">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>

The role manager is enabled and forms auth is true:
<roleManager enabled="true"/>
<authentication mode="Forms" />

The sitemap provider is enabled
<siteMap defaultProvider="AspNetXmlSiteMapProvider" enabled="true">

securityTrimmingEnabled is true

<providers>
<remove name="AspNetXmlSiteMapProvider"/>
<add name="AspNetXmlSiteMapProvider"
description="SiteMap provider which reads in .sitemap XML files."
type="System.Web.XmlSiteMapProvider"
securityTrimmingEnabled="true" siteMapFile="Web.sitemap"/>
</providers>
</siteMap>

.... and yet, even when the user is not logged in to the Administrators
group the Edit Shelters menu item is visible:
<siteMapNode url="~/login.aspx" title="Login" description="Login"
roles="*" >


<siteMapNode url="~/admin/shelters_edit.aspx"
title="Edit Shelters"
description="Edit Shelters/Rescues" roles="Administrators" />

</siteMapNode>
 
Ad

Advertisements

U

urchin

Not sure why that's suggested.

The menu lives in the controls directory. When the web.sitemap binds to
it without the ~/ the system attempts to find everything with controls/
as root.

Removing the tilde slash had no effect on the protected menu
visibility.
 
Ad

Advertisements

D

Dominick Baier [DevelopMentor]

if you try to access a protected subdirectory - does the authorization element
work?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top