Location element in the Web.config file. Allow System Admin whole directory, allow others specific p

[Ryan Taylor]

Hello.

I am developing an ASP.net C# application using forms authentication. I have
a directory ManageUsers and I want all pages in that directory to be
accessed by the system administrator. But, there is one page,
ChangePassword.aspx that any authenticated user should be able to access.

How exactly does the location element assign permissions to directories and
pages? I thought that permissions would be applied in the order that the
location elements were defined in the web.config file. With the latest
location element defining the permissions.

The following is what I have attempted. But when the Change Password role is
assigned to the user, he/she is able to view all pages in the ManageUsers
directory and not just the ManageUsers/ChangePassword.aspx

<location path="ManageUsers" allowOverride="false">
<system.web>
<authorization>
<allow roles="System Administrator, Requesting Organization
Administrator, Responding Organization Administrator" />
<deny users="?" />
</authorization>
</system.web>
</location>

<location path="ManageUsers/ChangePassword.aspx" allowOverride="false">
<system.web>
<authorization>
<allow roles="Change Password, System Administrator, Requesting
Organization Administrator, Requesting Organization User, Responding
Organization Administrator, Responding Organization User" />
<deny users="?" />
</authorization>
</system.web>
</location>


Thanks in advance for any assistance.
Ryan Taylor

 

[Ryan Taylor]

I found that part of my problem was that I was allowing all authenticated
users access to the pages. So I replaced the '?' with a '*' and this solved
the problem I also moved the ChangePassword.aspx file to its own location
just to be thorough.

Ryan Taylor