Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to determine authorized roles for a page?

6 views
Skip to first unread message

MyndPhlyp

unread,
May 31, 2007, 3:03:44 AM5/31/07
to
I've been combing through Google trying to find the answer but not luck.

I'm using Forms authentication. Determining what Roles the current user is
in was the easy part (User.IsInRole). But how does one determine what Roles
are permitted to use a particular ASPX page? (.NET 2.0, VS05)


Alexey Smirnov

unread,
May 31, 2007, 3:27:17 AM5/31/07
to

I've asked the same question some time ago
http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet/browse_thread/thread/35b6bd15d86528b2/

MyndPhlyp

unread,
May 31, 2007, 6:30:32 AM5/31/07
to

"Alexey Smirnov" <alexey....@gmail.com> wrote in message
news:1180596437.8...@q69g2000hsb.googlegroups.com...

We appear to be on a parallel path. (thanks for the corrective posting in
the other NG.) I noticed WebConfigurationManager before prowling through
Google and the NGs. I too am understandably resistant to that approach.
Seems as though the desired method should be available. After all, what
method does .NET call to determine a user's ability, or lack thereof, to
access a page?


SAL

unread,
May 31, 2007, 4:33:27 PM5/31/07
to
As Alexey was implying in the post in the link that was included, parsing
the web.sitemap might be a way to do that. If you include the roles tag for
you pages, you can determine the roles that are allowed for a giving page.
It's a pain but it's a way to do it. You can use the HTTPConext to get at
the current user.

HTH
S

"MyndPhlyp" <nob...@homeright.now> wrote in message
news:%235PE562...@TK2MSFTNGP03.phx.gbl...

Alexey Smirnov

unread,
May 31, 2007, 5:28:47 PM5/31/07
to
On May 31, 10:33 pm, "SAL" <S...@NoNo.com> wrote:
> As Alexey was implying in the post in the link that was included, parsing
> the web.sitemap might be a way to do that. If you include the roles tag for
> you pages, you can determine the roles that are allowed for a giving page.
> It's a pain but it's a way to do it. You can use the HTTPConext to get at
> the current user.

using System.Web.Configuration;

Configuration config =
WebConfigurationManager.OpenWebConfiguration(url);
AuthorizationSection configSection =
(AuthorizationSection)config.GetSection("system.web/authorization");
AuthorizationRuleCollection rules = configSection.Rules;

CommaDelimitedStringCollection allowed = new
CommaDelimitedStringCollection();
CommaDelimitedStringCollection denied = new
CommaDelimitedStringCollection();

for (int i = 0; i < rules.Count; i++)
{
if (rules[i].Roles.Count > 0)
{
if (rules[i].Action.ToString() == "Allow")
allowed.AddRange(rules[i].Roles.ToString().Split(','));
else if (rules[i].Action.ToString() == "Deny")
denied.AddRange(rules[i].Roles.ToString().Split(','));
}
}

Response.Write("Allowed Roles: " + allowed.ToString());
Response.Write("<br />");
Response.Write("Denied Roles: " + denied.ToString());

Note, the url value can be a path to a directory, like "/admin", or a
path to the file, like "/admin/default.aspx". To find if roleName
"IsInRoles", simply use the Contains() method, e.g.
allowed.Contains("roleName").

Enjoy.

SAL

unread,
Jun 1, 2007, 12:08:49 PM6/1/07
to
Nice.

S

"Alexey Smirnov" <alexey....@gmail.com> wrote in message

news:1180646927.5...@u30g2000hsc.googlegroups.com...

MyndPhlyp

unread,
Jun 2, 2007, 4:10:34 PM6/2/07
to

"Alexey Smirnov" <alexey....@gmail.com> wrote in message
news:1180646927.5...@u30g2000hsc.googlegroups.com...

>
> using System.Web.Configuration;
>
> Configuration config =
> WebConfigurationManager.OpenWebConfiguration(url);
> AuthorizationSection configSection =
> (AuthorizationSection)config.GetSection("system.web/authorization");
> AuthorizationRuleCollection rules = configSection.Rules;
>
> CommaDelimitedStringCollection allowed = new
> CommaDelimitedStringCollection();
> CommaDelimitedStringCollection denied = new
> CommaDelimitedStringCollection();
>
> for (int i = 0; i < rules.Count; i++)
> {
> if (rules[i].Roles.Count > 0)
> {
> if (rules[i].Action.ToString() == "Allow")
> allowed.AddRange(rules[i].Roles.ToString().Split(','));
> else if (rules[i].Action.ToString() == "Deny")
> denied.AddRange(rules[i].Roles.ToString().Split(','));
> }
> }
>
> Response.Write("Allowed Roles: " + allowed.ToString());
> Response.Write("<br />");
> Response.Write("Denied Roles: " + denied.ToString());
>
> Note, the url value can be a path to a directory, like "/admin", or a
> path to the file, like "/admin/default.aspx". To find if roleName
> "IsInRoles", simply use the Contains() method, e.g.
> allowed.Contains("roleName").

Thanks. Maybe some day, roughly around the same time pigs fly and hell
freezes over, M$ will get around to exposing the method and save us the
trouble (and overhead) of parsing out the web.config.

Who would ever have thought anybody would want to send an authenticated user
back to their previous page, rather than a "not allowed" or login page, if
the user is unauthorized to use the requested page?


Alexey Smirnov

unread,
Jun 4, 2007, 7:20:30 AM6/4/07
to
On Jun 2, 10:10 pm, "MyndPhlyp" <nob...@homeright.now> wrote:
> Who would ever have thought anybody would want to send an authenticated user
> back to their previous page, rather than a "not allowed" or login page, if
> the user is unauthorized to use the requested page?- Hide quoted text -

It has to be checked on the page

if (!User.IsInRole("Manager") {
Response.Redirect("/");
}

0 new messages