check if user is the one specified in <location path="...

[zino66]

In an intranet asp.net application I have the following in the web config:

<authentication mode="Windows" />

<location path="AdministrationFolder">
<system.web>
<authorization>
<allow users="John"/>
<allow users="David"/>
<allow users="Eric"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

The "Default.aspx" page is accessible to everybody.
I have a link <a href=Administration.aspx>Administration</a> on this page,
which I need it to be visible only if the user is one of those specified in
"<location path=....>" (If user = in (John, David, Eric) then, display the
link.)



How can I check if the logged user is one of the mentioned users above ?

 

[Joe Kaplan]

The identity information that the UrlAuthorizationModule (the thing taht
consumes that particular piece of XML web.config) examines the
HttpContext.User property, specifically the .Identity.Name property and the
..IsInRole method to compare against user name and role membership, so you
can do the same thing programmatically in your code to conditionally display
specific markup.

 

[zino66]

now I'm able to check the logged user name, but I need to compare it to the
one stored in <location path=....
<allow users='john'........

so, in the "Default.aspx" page, which is available to anybody (not only
'John',....),
I wrote:
Dim _as_ As Web.Configuration.AuthorizationSection =
Web.Configuration.WebConfigurationManager.GetSection("system.web/authorization", "~/Administration")

but I'm getting this error:
"The attribute 'users' has been locked in a higher level configuration"

I understand that accessing the config file in an already protected folder
from an unprotected page sound non-sense, but is there a way to work around
this ?

thanks for help

 

[Joe Kaplan]

If I were solving the problem, I'd approach it differently.

I'd create a mechanism to put these users in a role called "Admin" or
something like that and then hard code the configuration section and your
security trimming UI code to just check that.

To generate a role for a user on the fly, you can hook the authenticate
event in global.asax (or something similar) and just issue an new
GenericPrincipal for the authenticated user that add specific users to a
role. You can create a custom configuration value of your own choosing to
determine which users are in the admin role or not.

I'm not sure what the recommended method to read the configuration file
directly is but it seems that ASP.NET does not want you doing it the way you
are trying right now.