Reputation: 2378
Does authorization in ASP.NET only means restricting access to pages and directories
I have been reading a lot about asp.net membership and roles for the past couple of days and trying implement it in my project using form based authentication. I tried out most of the samples that I found on the internet from managing user/roles using WSAT to managing urser/roles/access rules in code. No doubt it provides great functionality with little effort on developer's end but some how I have developed the feeling that authorization in asp.net only provides a way to restrict access to pages and directories. What if I have a page which can be accessed by all users and based on the user role, the page offer different functionality to the user (common scenario - like SO is using). Though we can check Roles.IsUserInRole(role) in our code and customize the page for different roles but then again we can code the functionality to create more roles and enable users (Admins) to create more. And once the application is up and running, users (admins) create new roles, how do we take care of such roles in our pages?
Upvotes: 0
Views: 216
Answers (2)
Reputation: 853
RE: Ann L's comment on her own answer (I can't write a comment because I don't have enough reputation points yet).
If an administrator of the application is able to create new roles, it simply means that authenticated (!) users within those roles have rights to do more or other things (depending on those roles).
I don't think that letting users (admins) create roles dynamically would be a bad security practice. Bad security practices are, in my opinion, those that enable malevolent users to cause damage, steal data or hijack the application. Those bad practices enable people to be authenticated in a way that you wouldn't want them to be.
Upvotes: 0
Reputation: 13975
Well. You are right that Roles.IsUserInRole(role) can be used to customize pages for different roles. So it's not all about restricting access to pages and directories.
If you're asking how to accommodate new roles created by user administrators, and how to have the pages adapt to these new roles ... well, I think the term for what you're talking about is "dynamic roles". If you want a system where the users decide who can access what and create new roles with different access, you need a system that supports dynamic roles.
I've seen a lot of attempts to hand-code such a system, and I have yet to personally see one that was done well. Some systems that do exactly that and do it well are commercial CMS (content management systems). If you have an actual need for such a system, you might want to look at some of them.
ASP.NET's built-in role management is neat stuff, but it's really meant for a static role situation, where there are (say) "Payables Clerks", "Receivables Clerks" and "Managers" and, while people may change roles, the roles themselves and what people in them need to do don't change much.
Upvotes: 1
Related Questions
- Restrict access to some .aspx pages
- <authorization> can protect pages?
- .NET Authorization. Does the order or allow and deny elements matter?
- asp.net folder authorization
- Asp.net user authentication and authorization
- Authorization and Authentication in asp.net
- Authorization in ASP.NET MVC
- ASP.NET Roles and Permissions
- Asp.Net deny access on certain pages to users
- ASP.NET Page Authorization... How do you do it?