S
Suneel Jhangiani
Hi,
I have been working on a framework for publishing several sites from a
single code based allowing for easy modification by end users. I have based
my code around the IBuySpy Portal sample, and am now looking at re-working
the Security Model throughout the whole Framework.
The first thing that should be said about my framework that differs from all
others, is that tabs and modules can be created without being assigned to a
portal. A Portal administrator can add new tabs or select an existing tab.
In addition, when content is added the author can choose which portals the
content can be displayed on by selecting them from a list box.
When initially looking at the security I thought about having a permission
based system, where by a user would have certain permissions. My initial
thought was to place the User Permissions into a bit mask value that can be
enumerated eg.:
Public Enum Permissions
None = &H0
ViewUnApproved = &H1
ViewApproved = &H2
ViewUnPublished = &H4
ViewPublished = &H8
EditAll = &H10
EditOwn = &H20
DeleteAll = &H40
DeleteOwn = &H80
Add = &H100
Translate = &H200
Approve = &H400
Publish = &H800
End Enum
Once I had done this I realized that I would need the permission to be
stored based on a level eg.:
Public Enum PermissionLevel
None = &H0
ContentLevel = &H1
CategoryLevel = &H2
ModuleLevel = &H4
TabLevel = &H8
PortalLevel = &H10
SystemLevel = &H20
End Enum
Therefore, a user role would infact be a combination of the PermissionLevel,
Permission bitmask, an Allow/Deny bit and an ItemID. The ItemID would relate
to the level, so that if the PermissionLevel were set to TabLevel, then the
ItemId would represent the Tab; likewise if it was set to PortalLevel than
the ItemID would represent the Portal. The SystemLevel would not require an
ItemID as it applies to whole the application and a user with all
permissions at this level would be considered a super user.
My idea by using the above is so that I can check a users permission in the
following way:
If User.HasPermission(PortalId, TabId, ModuleId, CategoryId, ItemID,
ViewApproved OR ViewPublished) Then
' Display Approved or Published content
End If
Most of the other Portal Frameworks I have looked at use string based Roles
and the User.IsInRole method to check permissions. However, this requires
that a string of Roles be stored for each permission type (ie. IBuySpy uses
AuthorizedRoles and AuthorizedEditRoles for view and edit permission
respectively).
My full concept would be to create several Groups that Users are assigned
to. These groups are assigned permissions and as such a user inherits these
permissions. However, I want to allow the ability for a single user to
override a group permission. For example, a Group is created which can Add
new content to a single page (Tab Level), but I want a single user within
this group not to be able to add new announcements on this page, so I add a
UserPermission to deny that user access to the Announcements Module. I have
already worked this out at the database layer, I'm just stuck on the best
way to implement this scenario in ASP.Net using Forms based Authentication
and would appreciate any advice / pointers.
I would also like to know if any one has any tips on how to make the model
extensible, such that say a third-party writes a new module and wants to
have specific permissions available to that module how can that be
integrated? For example we create a Corporate Directory which includes
Employee photographs, however we only want employees to see that
photographs. Through the above design, it shold be as simple as extending
the bitmask eg.:
ViewPhotograph = &1000
ViewAddress = &2000
ViewPersonalInfo = &4000
Hoping someone has some good advice,
Suneel.
I have been working on a framework for publishing several sites from a
single code based allowing for easy modification by end users. I have based
my code around the IBuySpy Portal sample, and am now looking at re-working
the Security Model throughout the whole Framework.
The first thing that should be said about my framework that differs from all
others, is that tabs and modules can be created without being assigned to a
portal. A Portal administrator can add new tabs or select an existing tab.
In addition, when content is added the author can choose which portals the
content can be displayed on by selecting them from a list box.
When initially looking at the security I thought about having a permission
based system, where by a user would have certain permissions. My initial
thought was to place the User Permissions into a bit mask value that can be
enumerated eg.:
Public Enum Permissions
None = &H0
ViewUnApproved = &H1
ViewApproved = &H2
ViewUnPublished = &H4
ViewPublished = &H8
EditAll = &H10
EditOwn = &H20
DeleteAll = &H40
DeleteOwn = &H80
Add = &H100
Translate = &H200
Approve = &H400
Publish = &H800
End Enum
Once I had done this I realized that I would need the permission to be
stored based on a level eg.:
Public Enum PermissionLevel
None = &H0
ContentLevel = &H1
CategoryLevel = &H2
ModuleLevel = &H4
TabLevel = &H8
PortalLevel = &H10
SystemLevel = &H20
End Enum
Therefore, a user role would infact be a combination of the PermissionLevel,
Permission bitmask, an Allow/Deny bit and an ItemID. The ItemID would relate
to the level, so that if the PermissionLevel were set to TabLevel, then the
ItemId would represent the Tab; likewise if it was set to PortalLevel than
the ItemID would represent the Portal. The SystemLevel would not require an
ItemID as it applies to whole the application and a user with all
permissions at this level would be considered a super user.
My idea by using the above is so that I can check a users permission in the
following way:
If User.HasPermission(PortalId, TabId, ModuleId, CategoryId, ItemID,
ViewApproved OR ViewPublished) Then
' Display Approved or Published content
End If
Most of the other Portal Frameworks I have looked at use string based Roles
and the User.IsInRole method to check permissions. However, this requires
that a string of Roles be stored for each permission type (ie. IBuySpy uses
AuthorizedRoles and AuthorizedEditRoles for view and edit permission
respectively).
My full concept would be to create several Groups that Users are assigned
to. These groups are assigned permissions and as such a user inherits these
permissions. However, I want to allow the ability for a single user to
override a group permission. For example, a Group is created which can Add
new content to a single page (Tab Level), but I want a single user within
this group not to be able to add new announcements on this page, so I add a
UserPermission to deny that user access to the Announcements Module. I have
already worked this out at the database layer, I'm just stuck on the best
way to implement this scenario in ASP.Net using Forms based Authentication
and would appreciate any advice / pointers.
I would also like to know if any one has any tips on how to make the model
extensible, such that say a third-party writes a new module and wants to
have specific permissions available to that module how can that be
integrated? For example we create a Corporate Directory which includes
Employee photographs, however we only want employees to see that
photographs. Through the above design, it shold be as simple as extending
the bitmask eg.:
ViewPhotograph = &1000
ViewAddress = &2000
ViewPersonalInfo = &4000
Hoping someone has some good advice,
Suneel.