CODEWITHSUNDEEP
asp.net
Matt
Matt

Reputation: 1616

SiteMap Not Hiding elements

I have inherited a site which makes extensive use of sitemaps. I have been asked if I can make menu items only appear if the user is logged in at the correct role.

(I know my roles based login is all working correctly)

I have the following in my sitemap

 <siteMapNode url="~/" title="Home" description="Home">
<siteMapNode title="Home" url="default.aspx" />
<!--Sets up Product page-->    
    ... Product map always shows, so skipped ...

<siteMapNode title="Support" url="~/support/default.aspx">
  <siteMapNode title="CurrentIssues" url="~/support/Issues.aspx" role="Customer" />
</siteMapNode>
...

and this line in my config

<add name="main_siteMap" description="Menu Site map Provider" type="System.Web.XmlSiteMapProvider" siteMapFile="Web.sitemap" secuirityTrimmingEnabled="true"/>

Yet no matter whether I am logged in or out, the CurrentIssues Menu option is always visible. (Though if you try to click on it, it takes you to the LoginPage.)

So what have I missed to be able to hide menu items for those that are not logged into the correct role?

Upvotes: 1

Views: 292

Answers (2)

Doberon
Doberon

Reputation: 648

Another suggestion is to add in the directory of resources a configuration file web.config, where specified roles for each resource that should be allowed to access it

<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <location path="Manual_de_rol_aprobador.pdf">
    <system.web>
      <authorization>
        <allow roles="aprobador, administradorDeSistema" />
        <deny users="*" /><!-- Usuarios autenticados -->
        <deny users="?" /><!-- Usuarios anonimos -->
      </authorization>
    </system.web>
  </location>

  <location path="Manual_de_rol_calificador.pdf">
    <system.web>
      <authorization>
        <allow roles="calificador, administradorDeSistema" />
        <deny users="*" /><!-- Usuarios autenticados -->
        <deny users="?" /><!-- Usuarios anonimos -->
      </authorization>
    </system.web>
  </location>


  <system.web>
    <authorization>
      <allow roles="calificador, aprobador, administradorDeSistema" />
      <deny users="*" /><!-- Usuarios autenticados -->
      <deny users="?" /><!-- Usuarios anonimos -->
    </authorization>
  </system.web>

</configuration>

Upvotes: 0

MikeSmithDev
MikeSmithDev

Reputation: 15797

There are a few issues with what you posted.

The siteMapNode value should be roles not role.

Your web.config entry has a typo (secuirityTrimmingEnabled has an extra i) and should likely more look like this:

<siteMap defaultProvider="main_siteMap" enabled="true">
    <providers>
        <add name="main_siteMap"
            description="Menu Site map Provider"
            type="System.Web.XmlSiteMapProvider "
            siteMapFile="Web.sitemap"
            securityTrimmingEnabled="true" />
    </providers>
</siteMap>

Also note, that securing the sitemap this way requires the proper implementation of RoleManagement, meaning that in this case, you'll also need to secure that path in the web.config:

<location path="support/issues.aspx">
    <system.web>
        <authorization>
            <allow roles="Customer" />
            <deny users="*" />
        </authorization>
    </system.web>
</location>

Also note that per the docs:

Site-map files with more than 150 nodes can take substantially longer to perform security-trimming operations.

Upvotes: 1

Related Questions