CODEWITHSUNDEEP
asp.net
user838359
user838359

Reputation: 173

Security in asp.net

I have a database driven menu through which I show the pages a particular role can view. However, If the user types the url he can still view the page.... Can u let me know how i can prevent him from doing that? However, I was trying to check whether the role has access to page through a query and then redirect him to another if he doesn't have.. So, can u let me know the best way i can do this task..

This is what I did

 public bool Initi()
{

    string currentuser = HttpContext.Current.User.Identity.Name;
    string currentPageName = HttpContext.Current.Request.Url.AbsoluteUri;
    string connStr1 = "Data Source=NISHANTH-PC\\SQLEXPRESS;Initial Catalog=roletesting;Integrated Security=True";
    using (SqlConnection conn1 = new SqlConnection(connStr1))
    {
        conn1.Open();
        SqlParameter param1 = new SqlParameter();

        param1.ParameterName = "@currentpagename";

        param1.SqlDbType = SqlDbType.NVarChar;

        param1.Direction = ParameterDirection.Input;

        param1.Value = currentPageName;

        SqlParameter param = new SqlParameter();

        param.ParameterName = "@currentuser";

        param.SqlDbType = SqlDbType.NVarChar;

        param.Direction = ParameterDirection.Input;

        param.Value = currentuser;
        string hasaccess = "select PageRole.hasRights from PageRole,  
          aspnet_UsersInRoles, SubMenu,aspnet_Paths,aspnet_Roles,aspnet_Users  where 
          Submenu.Url=@currentpagename and Submenu.Url = aspnet_Paths.Path and 
          aspnet_Paths.PathId=PageRole.PathId and  PageRole.RoleId = '780c6d23-b321-
          43fc-98fe-d2af26b6f069' ";

        SqlCommand coi = new SqlCommand(hasaccess, conn1);
        coi.Parameters.Add(param1);
        coi.Parameters.Add(param);
        string a = (string)coi.ExecuteScalar();
        if (a == "null" || a == "N")
        {
            return false;
        }
        else
            return true;
    }

I just hardcoded in middle by directly using roleid value..... and then in main I just check if this true or not and do it accordingly. But this seems a lot worse to me though i did it on master page. As I am pretty new to asp.net, i don't know what is the best way to mingle to this. So, can u let me know the best way and also the mistake i did here...

Upvotes: 0

Views: 74

Answers (1)

Adam Tuliper
Adam Tuliper

Reputation: 30152

You set URL permissions in the web.config. See http://support.microsoft.com/kb/316871

Upvotes: 1

Related Questions