| Groups | Blog | Home |
asp.net security : Serious help needed with beta 2.0 SiteMapProvider..
<siteMap> <siteMapNode title="Home" description="" url="default.aspx"> <siteMapNode title="Announcements" url="Announcements.aspx" description="Information for all employees" roles="*" /> <siteMapNode title="Salaries" url="Salaries.aspx" description="Salary data" roles="Managers,CEOs" /> <siteMapNode> </siteMap> I hope this helps RedEye [quoted text, click to view] "RCS" <rseder@gmail.com> wrote in message news:FQxBe.2901$Ih7.1828@newssvr33.news.prodigy.com... > All, > > OK, so I'm working on a template for our new ASP.NET applications. Part of > this, includes using the new menu and breadcrumbs control in ASP.NET 2.0 > (I'm using beta 2). > > I put the hierarchy of the applications and navigation in a database, and > am able to pull that into the app by inheriting StaticSiteMapProvider. So > that's set and works great. > > So then I realize that it builds the sitemap at the application level, not > at the user level. So I've been looking into how to restrict the menu > items - based on security I will get from the database. > > In my inherited class, I override IsAccessibleToUser - and that seems to > work for the breadcrumbs (because it doesn't show anything if I go to an > "invalid" page) - but it doesn't do anything to the menu (or the treeview > either, for that matter). I basically check a couple hard-coded "roles" to > the "roles" that are associated with the current node. > > From what I've been piecing together, it looks like the menu will only > trim away the unwanted menu items if the provider has the > securityTrimmingEnabled="true" - but when I try to add that to the > <providers> section in web.config - I get a red-squiggly and a compiler > warning that it's invalid (where it used to be valid in old versions). > > BOTTOM LINE: > I need to prune the menu hierarchy based on user permissions. One user may > only see literally one item and another user may see a few dozen - or at > least that's what I need to replicate. > > How can I have the menu control (or the treeview) prune away the things > that the current user isn't supposed to see?? > > >
Hello RCS,
that is exactly how the default siteMap implementation works, by using the authorization element, but not for single users but for roles - why don't you do that based on roles and assign the roles to the IPrincipal somehow? Otherwise i would look into the default SiteMap with reflector to see how MS did it. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Well, I'm creating the sitemap on the fly - but yes, this is exactly > what I'm doing. > > The problem comes in with telling this sitemap (and the menu or the > treeview) that the currently logged in user does not have access to > that "Salaries" node in your example below. > > And the academic solution from Microsoft is to put the users in your > web.config and use an <authorization> section to allow/deny people. > But I have a few thousand dynamic users - so I need to programatically > validate whether a user (and I know their roles) is supposed to see a > particular node item (which has a role associated). > > *How* do I accomplish this? > > "RedEye" <redeye_51@hotmail.com> wrote in message > news:%23nLpLsKiFHA.2180@TK2MSFTNGP15.phx.gbl... > >> Have you tried to using the roles attribute in the site map file? >> >> <siteMap> >> <siteMapNode title="Home" description="" url="default.aspx"> >> <siteMapNode title="Announcements" url="Announcements.aspx" >> description="Information for all employees" roles="*" /> >> <siteMapNode title="Salaries" url="Salaries.aspx" >> description="Salary data" roles="Managers,CEOs" /> >> <siteMapNode> >> </siteMap> >> I hope this helps >> >> RedEye >> >> "RCS" <rseder@gmail.com> wrote in message >> news:FQxBe.2901$Ih7.1828@newssvr33.news.prodigy.com... >> >>> All, >>> >>> OK, so I'm working on a template for our new ASP.NET applications. >>> Part of this, includes using the new menu and breadcrumbs control in >>> ASP.NET 2.0 (I'm using beta 2). >>> >>> I put the hierarchy of the applications and navigation in a >>> database, and am able to pull that into the app by inheriting >>> StaticSiteMapProvider. So that's set and works great. >>> >>> So then I realize that it builds the sitemap at the application >>> level, not at the user level. So I've been looking into how to >>> restrict the menu items - based on security I will get from the >>> database. >>> >>> In my inherited class, I override IsAccessibleToUser - and that >>> seems to work for the breadcrumbs (because it doesn't show anything >>> if I go to an "invalid" page) - but it doesn't do anything to the >>> menu (or the treeview either, for that matter). I basically check a >>> couple hard-coded "roles" to the "roles" that are associated with >>> the current node. >>> >>> From what I've been piecing together, it looks like the menu will >>> only trim away the unwanted menu items if the provider has the >>> securityTrimmingEnabled="true" - but when I try to add that to the >>> <providers> section in web.config - I get a red-squiggly and a >>> compiler warning that it's invalid (where it used to be valid in old >>> versions). >>> >>> BOTTOM LINE: >>> I need to prune the menu hierarchy based on user permissions. One >>> user >>> may only see literally one item and another user may see a few dozen >>> - or >>> at least that's what I need to replicate. >>> How can I have the menu control (or the treeview) prune away the >>> things that the current user isn't supposed to see?? >>>
All,
OK, so I'm working on a template for our new ASP.NET applications. Part of this, includes using the new menu and breadcrumbs control in ASP.NET 2.0 (I'm using beta 2). I put the hierarchy of the applications and navigation in a database, and am able to pull that into the app by inheriting StaticSiteMapProvider. So that's set and works great. So then I realize that it builds the sitemap at the application level, not at the user level. So I've been looking into how to restrict the menu items - based on security I will get from the database. In my inherited class, I override IsAccessibleToUser - and that seems to work for the breadcrumbs (because it doesn't show anything if I go to an "invalid" page) - but it doesn't do anything to the menu (or the treeview either, for that matter). I basically check a couple hard-coded "roles" to the "roles" that are associated with the current node. From what I've been piecing together, it looks like the menu will only trim away the unwanted menu items if the provider has the securityTrimmingEnabled="true" - but when I try to add that to the <providers> section in web.config - I get a red-squiggly and a compiler warning that it's invalid (where it used to be valid in old versions). BOTTOM LINE: I need to prune the menu hierarchy based on user permissions. One user may only see literally one item and another user may see a few dozen - or at least that's what I need to replicate. How can I have the menu control (or the treeview) prune away the things that the current user isn't supposed to see??
Well, I'm creating the sitemap on the fly - but yes, this is exactly what
I'm doing. The problem comes in with telling this sitemap (and the menu or the treeview) that the currently logged in user does not have access to that "Salaries" node in your example below. And the academic solution from Microsoft is to put the users in your web.config and use an <authorization> section to allow/deny people. But I have a few thousand dynamic users - so I need to programatically validate whether a user (and I know their roles) is supposed to see a particular node item (which has a role associated). *How* do I accomplish this? [quoted text, click to view] "RedEye" <redeye_51@hotmail.com> wrote in message news:%23nLpLsKiFHA.2180@TK2MSFTNGP15.phx.gbl... > Have you tried to using the roles attribute in the site map file? > > <siteMap> > <siteMapNode title="Home" description="" url="default.aspx"> > <siteMapNode title="Announcements" url="Announcements.aspx" > description="Information for all employees" roles="*" /> > <siteMapNode title="Salaries" url="Salaries.aspx" > description="Salary data" roles="Managers,CEOs" /> > <siteMapNode> > </siteMap> > > I hope this helps > > > RedEye > > "RCS" <rseder@gmail.com> wrote in message > news:FQxBe.2901$Ih7.1828@newssvr33.news.prodigy.com... >> All, >> >> OK, so I'm working on a template for our new ASP.NET applications. Part >> of this, includes using the new menu and breadcrumbs control in ASP.NET >> 2.0 (I'm using beta 2). >> >> I put the hierarchy of the applications and navigation in a database, and >> am able to pull that into the app by inheriting StaticSiteMapProvider. So >> that's set and works great. >> >> So then I realize that it builds the sitemap at the application level, >> not at the user level. So I've been looking into how to restrict the menu >> items - based on security I will get from the database. >> >> In my inherited class, I override IsAccessibleToUser - and that seems to >> work for the breadcrumbs (because it doesn't show anything if I go to an >> "invalid" page) - but it doesn't do anything to the menu (or the treeview >> either, for that matter). I basically check a couple hard-coded "roles" >> to the "roles" that are associated with the current node. >> >> From what I've been piecing together, it looks like the menu will only >> trim away the unwanted menu items if the provider has the >> securityTrimmingEnabled="true" - but when I try to add that to the >> <providers> section in web.config - I get a red-squiggly and a compiler >> warning that it's invalid (where it used to be valid in old versions). >> >> BOTTOM LINE: >> I need to prune the menu hierarchy based on user permissions. One user >> may only see literally one item and another user may see a few dozen - or >> at least that's what I need to replicate. >> >> How can I have the menu control (or the treeview) prune away the things >> that the current user isn't supposed to see?? >> >> >> > >
Hmm.. but I don't understand how the two connect.
I have an inherited class, on RebuildSitemap or whatever it was, I go to the database, get the structure, add the nodes, and I give the "role", of an "app_cd" from our database. In our security database, you can see certain menu items, based on if you can see a particular "app_cd". So I have the menu/sitemap that has nodes with one of our app_cds associated with each, as the 'role'. I can call another stored procedure that brings back all the app_cds the current user can see. But what do I do - to tell the SiteMap/menu/whomever - that this user can only see menu items/sitemap nodes that have a role of "2700" and "2715"?? I was looking at System.Security and creating a principal and whatnot - which is sort of clear, but again - I don't know how to tie in a principal - in with the navigation to tell it to prune the entries that are inappropriate for the current user. -ALSO- my original plan was to use this sitemap on a per-user basis, so I could just do all this in the database. In other words, when you login, go to the database to get the structure of the app - then apply security to prune away inappropriate nodes, then build the sitemap off that. It seems that the whole sitemap concept was built to be application-specific and not user-specific. And the only way I found around that, was to create my own SiteMapDataSource - which looks pretty complicated - and even if I could get it going, I'm not sure it would work on a per-user level until I could actually try it. Thanks for the help "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> [quoted text, click to view] wrote in message news:593874632569828157044280@news.microsoft.com... > Hello RCS, > > that is exactly how the default siteMap implementation works, by using the > authorization element, but not for single users but for roles - why don't > you do that based on roles and assign the roles to the IPrincipal somehow? > > Otherwise i would look into the default SiteMap with reflector to see how > MS did it. > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Well, I'm creating the sitemap on the fly - but yes, this is exactly >> what I'm doing. >> >> The problem comes in with telling this sitemap (and the menu or the >> treeview) that the currently logged in user does not have access to >> that "Salaries" node in your example below. >> >> And the academic solution from Microsoft is to put the users in your >> web.config and use an <authorization> section to allow/deny people. >> But I have a few thousand dynamic users - so I need to programatically >> validate whether a user (and I know their roles) is supposed to see a >> particular node item (which has a role associated). >> >> *How* do I accomplish this? >> >> "RedEye" <redeye_51@hotmail.com> wrote in message >> news:%23nLpLsKiFHA.2180@TK2MSFTNGP15.phx.gbl... >> >>> Have you tried to using the roles attribute in the site map file? >>> >>> <siteMap> >>> <siteMapNode title="Home" description="" url="default.aspx"> >>> <siteMapNode title="Announcements" url="Announcements.aspx" >>> description="Information for all employees" roles="*" /> >>> <siteMapNode title="Salaries" url="Salaries.aspx" >>> description="Salary data" roles="Managers,CEOs" /> >>> <siteMapNode> >>> </siteMap> >>> I hope this helps >>> >>> RedEye >>> >>> "RCS" <rseder@gmail.com> wrote in message >>> news:FQxBe.2901$Ih7.1828@newssvr33.news.prodigy.com... >>> >>>> All, >>>> >>>> OK, so I'm working on a template for our new ASP.NET applications. >>>> Part of this, includes using the new menu and breadcrumbs control in >>>> ASP.NET 2.0 (I'm using beta 2). >>>> >>>> I put the hierarchy of the applications and navigation in a >>>> database, and am able to pull that into the app by inheriting >>>> StaticSiteMapProvider. So that's set and works great. >>>> >>>> So then I realize that it builds the sitemap at the application >>>> level, not at the user level. So I've been looking into how to >>>> restrict the menu items - based on security I will get from the >>>> database. >>>> >>>> In my inherited class, I override IsAccessibleToUser - and that >>>> seems to work for the breadcrumbs (because it doesn't show anything >>>> if I go to an "invalid" page) - but it doesn't do anything to the >>>> menu (or the treeview either, for that matter). I basically check a >>>> couple hard-coded "roles" to the "roles" that are associated with >>>> the current node. >>>> >>>> From what I've been piecing together, it looks like the menu will >>>> only trim away the unwanted menu items if the provider has the >>>> securityTrimmingEnabled="true" - but when I try to add that to the >>>> <providers> section in web.config - I get a red-squiggly and a >>>> compiler warning that it's invalid (where it used to be valid in old >>>> versions). >>>> >>>> BOTTOM LINE: >>>> I need to prune the menu hierarchy based on user permissions. One >>>> user >>>> may only see literally one item and another user may see a few dozen >>>> - or >>>> at least that's what I need to replicate. >>>> How can I have the menu control (or the treeview) prune away the >>>> things that the current user isn't supposed to see?? >>>> > > >
Hi RCS:
It's true, you must use securityTrimmingEnabled="true". This works well. Ignore the red squiggly line. Unfortunately, the validation in VS 2005 can only take into consideration the settings that are common to all site map providers. The securityTrimmingEnabled attribute is a setting specific to the Xml site map provider that ships with asp.net 2.0. It works, even though the IDE doesn't know about it, the provider does. It's jus a case of the validation being a little overzealous. -- Scott http://www.OdeToCode.com/blogs/scott/ [quoted text, click to view] On Thu, 14 Jul 2005 18:06:29 GMT, "RCS" <rseder@gmail.com> wrote:
>All, > >OK, so I'm working on a template for our new ASP.NET applications. Part of >this, includes using the new menu and breadcrumbs control in ASP.NET 2.0 >(I'm using beta 2). > >I put the hierarchy of the applications and navigation in a database, and am >able to pull that into the app by inheriting StaticSiteMapProvider. So >that's set and works great. > >So then I realize that it builds the sitemap at the application level, not >at the user level. So I've been looking into how to restrict the menu >items - based on security I will get from the database. > >In my inherited class, I override IsAccessibleToUser - and that seems to >work for the breadcrumbs (because it doesn't show anything if I go to an >"invalid" page) - but it doesn't do anything to the menu (or the treeview >either, for that matter). I basically check a couple hard-coded "roles" to >the "roles" that are associated with the current node. > >From what I've been piecing together, it looks like the menu will only trim >away the unwanted menu items if the provider has the >securityTrimmingEnabled="true" - but when I try to add that to the ><providers> section in web.config - I get a red-squiggly and a compiler >warning that it's invalid (where it used to be valid in old versions). > >BOTTOM LINE: >I need to prune the menu hierarchy based on user permissions. One user may >only see literally one item and another user may see a few dozen - or at >least that's what I need to replicate. > >How can I have the menu control (or the treeview) prune away the things that >the current user isn't supposed to see?? > >
Hi Rcs:
You can always plug your own custom site map provider in, although I've been using security trimming so that should work. It will build the menu control such that the user only sees what they are allowed to navigate to. In the providers section, did you have a <remove> element in to make sure it's not using the default configuration? -- Scott http://www.OdeToCode.com/blogs/scott/ [quoted text, click to view] On Fri, 15 Jul 2005 17:27:50 GMT, "RCS" <rseder@gmail.com> wrote:
>Scott - thanks.. > >Even if I do do this, A) if I do this in my page_load: > > Response.Write(this.SiteMapDataSource1.Provider.SecurityTrimmingEnabled.ToString()); > >(Assuming that SiteMapDataSource1 points to my custom SiteMapProvider) - it >returns false. Then, in my class, I do this, to overwrite the default >implementation: > > public new bool SecurityTrimmingEnabled = true; > >Still - same result. It's beginning to look like I need to inherit from >higher up the tree - like SiteMapProvider (instead of >StaticSiteMapProvider) - or XmlSiteMapProvider or ProviderBase > >But even if I did - and managed to get that to work, I'm not sure it will >solve my problem. Because at this point, I'm almost convinced that MY >sitemaprovider truly doesn't support SecurityTrimmingEnabled - and I don't >know where to begin, to make it support it. > > >Lastly - I could've solved all of this last week, if I could just build a >sitemap on a per-user basis (instead of per-application). I could handle all >the security in the database and just return the valid menu items for this >user. > >Any ideas on how to make a sitemapprovider (and more specifically - a >SiteMapDataSource) - able to be used on a per-user basis???? Thanks again! > > >"Scott Allen" <scott@nospam.odetocode.com> wrote in message >news:qiqfd1hdcmi580q1miap2i2n1khk1bi98s@4ax.com... >> Hi RCS: >> >> It's true, you must use securityTrimmingEnabled="true". This works >> well. >> >> Ignore the red squiggly line. Unfortunately, the validation in VS 2005 >> can only take into consideration the settings that are common to all >> site map providers. The securityTrimmingEnabled attribute is a setting >> specific to the Xml site map provider that ships with asp.net 2.0. It >> works, even though the IDE doesn't know about it, the provider does. >> >> It's jus a case of the validation being a little overzealous. >> >> -- >> Scott >> http://www.OdeToCode.com/blogs/scott/ >> >> >> On Thu, 14 Jul 2005 18:06:29 GMT, "RCS" <rseder@gmail.com> wrote: >> >>>All, >>> >>>OK, so I'm working on a template for our new ASP.NET applications. Part of >>>this, includes using the new menu and breadcrumbs control in ASP.NET 2.0 >>>(I'm using beta 2). >>> >>>I put the hierarchy of the applications and navigation in a database, and >>>am >>>able to pull that into the app by inheriting StaticSiteMapProvider. So >>>that's set and works great. >>> >>>So then I realize that it builds the sitemap at the application level, not >>>at the user level. So I've been looking into how to restrict the menu >>>items - based on security I will get from the database. >>> >>>In my inherited class, I override IsAccessibleToUser - and that seems to >>>work for the breadcrumbs (because it doesn't show anything if I go to an >>>"invalid" page) - but it doesn't do anything to the menu (or the treeview >>>either, for that matter). I basically check a couple hard-coded "roles" to >>>the "roles" that are associated with the current node. >>> >>>From what I've been piecing together, it looks like the menu will only >>>trim >>>away the unwanted menu items if the provider has the >>>securityTrimmingEnabled="true" - but when I try to add that to the >>><providers> section in web.config - I get a red-squiggly and a compiler >>>warning that it's invalid (where it used to be valid in old versions). >>> >>>BOTTOM LINE: >>>I need to prune the menu hierarchy based on user permissions. One user may >>>only see literally one item and another user may see a few dozen - or at >>>least that's what I need to replicate. >>> >>>How can I have the menu control (or the treeview) prune away the things >>>that >>>the current user isn't supposed to see?? >>> >>> >> >
Scott - thanks..
Even if I do do this, A) if I do this in my page_load: Response.Write(this.SiteMapDataSource1.Provider.SecurityTrimmingEnabled.ToString()); (Assuming that SiteMapDataSource1 points to my custom SiteMapProvider) - it returns false. Then, in my class, I do this, to overwrite the default implementation: public new bool SecurityTrimmingEnabled = true; Still - same result. It's beginning to look like I need to inherit from higher up the tree - like SiteMapProvider (instead of StaticSiteMapProvider) - or XmlSiteMapProvider or ProviderBase But even if I did - and managed to get that to work, I'm not sure it will solve my problem. Because at this point, I'm almost convinced that MY sitemaprovider truly doesn't support SecurityTrimmingEnabled - and I don't know where to begin, to make it support it. Lastly - I could've solved all of this last week, if I could just build a sitemap on a per-user basis (instead of per-application). I could handle all the security in the database and just return the valid menu items for this user. Any ideas on how to make a sitemapprovider (and more specifically - a SiteMapDataSource) - able to be used on a per-user basis???? Thanks again! [quoted text, click to view] "Scott Allen" <scott@nospam.odetocode.com> wrote in message news:qiqfd1hdcmi580q1miap2i2n1khk1bi98s@4ax.com... > Hi RCS: > > It's true, you must use securityTrimmingEnabled="true". This works > well. > > Ignore the red squiggly line. Unfortunately, the validation in VS 2005 > can only take into consideration the settings that are common to all > site map providers. The securityTrimmingEnabled attribute is a setting > specific to the Xml site map provider that ships with asp.net 2.0. It > works, even though the IDE doesn't know about it, the provider does. > > It's jus a case of the validation being a little overzealous. > > -- > Scott > http://www.OdeToCode.com/blogs/scott/ > > > On Thu, 14 Jul 2005 18:06:29 GMT, "RCS" <rseder@gmail.com> wrote: > >>All, >> >>OK, so I'm working on a template for our new ASP.NET applications. Part of >>this, includes using the new menu and breadcrumbs control in ASP.NET 2.0 >>(I'm using beta 2). >> >>I put the hierarchy of the applications and navigation in a database, and >>am >>able to pull that into the app by inheriting StaticSiteMapProvider. So >>that's set and works great. >> >>So then I realize that it builds the sitemap at the application level, not >>at the user level. So I've been looking into how to restrict the menu >>items - based on security I will get from the database. >> >>In my inherited class, I override IsAccessibleToUser - and that seems to >>work for the breadcrumbs (because it doesn't show anything if I go to an >>"invalid" page) - but it doesn't do anything to the menu (or the treeview >>either, for that matter). I basically check a couple hard-coded "roles" to >>the "roles" that are associated with the current node. >> >>From what I've been piecing together, it looks like the menu will only >>trim >>away the unwanted menu items if the provider has the >>securityTrimmingEnabled="true" - but when I try to add that to the >><providers> section in web.config - I get a red-squiggly and a compiler >>warning that it's invalid (where it used to be valid in old versions). >> >>BOTTOM LINE: >>I need to prune the menu hierarchy based on user permissions. One user may >>only see literally one item and another user may see a few dozen - or at >>least that's what I need to replicate. >> >>How can I have the menu control (or the treeview) prune away the things >>that >>the current user isn't supposed to see?? >> >> >
Hiya,
I'm already doing that - I inherited from StaticSiteMapProvider - and the menu is populated correctly with ALL possible menu options (from a SQL databsae) - including menu options inappropriate for some users. Assuming my inherited is named MySiteMapProvider - I have this in my web.config: <siteMap defaultProvider="MySiteMapProvider" enabled="true"> <providers> <clear/> <add name="MySiteMapProvider" securityTrimmingEnabled="true" type="MySiteMapProvider"></add> </providers> </siteMap> And again - my provider works perfectly. The problem is, I need to prune back menu items (or nodes within the provider) so that the current user sees the appropriate menu items. I think I've hit the end of the Internet - I've scoured every resource I know and I'm pretty much at a standstill. thanks again! [quoted text, click to view] "Scott Allen" <scott@nospam.odetocode.com> wrote in message news:s4vfd1hrapgth9ta49mn4goj4fq4hbh5c4@4ax.com... > Hi Rcs: > > You can always plug your own custom site map provider in, although > I've been using security trimming so that should work. It will build > the menu control such that the user only sees what they are allowed to > navigate to. > > In the providers section, did you have a <remove> element in to make > sure it's not using the default configuration? > > -- > Scott > http://www.OdeToCode.com/blogs/scott/ > > On Fri, 15 Jul 2005 17:27:50 GMT, "RCS" <rseder@gmail.com> wrote: > >>Scott - thanks.. >> >>Even if I do do this, A) if I do this in my page_load: >> >> >> Response.Write(this.SiteMapDataSource1.Provider.SecurityTrimmingEnabled.ToString()); >> >>(Assuming that SiteMapDataSource1 points to my custom SiteMapProvider) - >>it >>returns false. Then, in my class, I do this, to overwrite the default >>implementation: >> >> public new bool SecurityTrimmingEnabled = true; >> >>Still - same result. It's beginning to look like I need to inherit from >>higher up the tree - like SiteMapProvider (instead of >>StaticSiteMapProvider) - or XmlSiteMapProvider or ProviderBase >> >>But even if I did - and managed to get that to work, I'm not sure it will >>solve my problem. Because at this point, I'm almost convinced that MY >>sitemaprovider truly doesn't support SecurityTrimmingEnabled - and I don't >>know where to begin, to make it support it. >> >> >>Lastly - I could've solved all of this last week, if I could just build a >>sitemap on a per-user basis (instead of per-application). I could handle >>all >>the security in the database and just return the valid menu items for this >>user. >> >>Any ideas on how to make a sitemapprovider (and more specifically - a >>SiteMapDataSource) - able to be used on a per-user basis???? Thanks again! >> >> >>"Scott Allen" <scott@nospam.odetocode.com> wrote in message >>news:qiqfd1hdcmi580q1miap2i2n1khk1bi98s@4ax.com... >>> Hi RCS: >>> >>> It's true, you must use securityTrimmingEnabled="true". This works >>> well. >>> >>> Ignore the red squiggly line. Unfortunately, the validation in VS 2005 >>> can only take into consideration the settings that are common to all >>> site map providers. The securityTrimmingEnabled attribute is a setting >>> specific to the Xml site map provider that ships with asp.net 2.0. It >>> works, even though the IDE doesn't know about it, the provider does. >>> >>> It's jus a case of the validation being a little overzealous. >>> >>> -- >>> Scott >>> http://www.OdeToCode.com/blogs/scott/ >>> >>> >>> On Thu, 14 Jul 2005 18:06:29 GMT, "RCS" <rseder@gmail.com> wrote: >>> >>>>All, >>>> >>>>OK, so I'm working on a template for our new ASP.NET applications. Part >>>>of >>>>this, includes using the new menu and breadcrumbs control in ASP.NET 2.0 >>>>(I'm using beta 2). >>>> >>>>I put the hierarchy of the applications and navigation in a database, >>>>and >>>>am >>>>able to pull that into the app by inheriting StaticSiteMapProvider. So >>>>that's set and works great. >>>> >>>>So then I realize that it builds the sitemap at the application level, >>>>not >>>>at the user level. So I've been looking into how to restrict the menu >>>>items - based on security I will get from the database. >>>> >>>>In my inherited class, I override IsAccessibleToUser - and that seems to >>>>work for the breadcrumbs (because it doesn't show anything if I go to an >>>>"invalid" page) - but it doesn't do anything to the menu (or the >>>>treeview >>>>either, for that matter). I basically check a couple hard-coded "roles" >>>>to >>>>the "roles" that are associated with the current node. >>>> >>>>From what I've been piecing together, it looks like the menu will only >>>>trim >>>>away the unwanted menu items if the provider has the >>>>securityTrimmingEnabled="true" - but when I try to add that to the >>>><providers> section in web.config - I get a red-squiggly and a compiler >>>>warning that it's invalid (where it used to be valid in old versions). >>>> >>>>BOTTOM LINE: >>>>I need to prune the menu hierarchy based on user permissions. One user >>>>may >>>>only see literally one item and another user may see a few dozen - or at >>>>least that's what I need to replicate. >>>> >>>>How can I have the menu control (or the treeview) prune away the things >>>>that >>>>the current user isn't supposed to see?? >>>> >>>> >>> >> >
Hello Scott,
there is an article in the latest (or the one before that) msdn magazine. they build a siteMapProvider for SqlServer... msdn.microsoft.com/msdnmag --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > I know there is not a tremendous amount published yet in this area. > Best of luck. > > -- > Scott > http://www.OdeToCode.com/blogs/scott/ > On Fri, 15 Jul 2005 18:27:28 GMT, "RCS" <rseder@gmail.com> wrote: > >> Hiya, >> >> I'm already doing that - I inherited from StaticSiteMapProvider - and >> the menu is populated correctly with ALL possible menu options (from >> a SQL databsae) - including menu options inappropriate for some >> users. >> >> Assuming my inherited is named MySiteMapProvider - I have this in my >> web.config: >> >> <siteMap defaultProvider="MySiteMapProvider" enabled="true"> >> <providers> >> <clear/> >> <add name="MySiteMapProvider" securityTrimmingEnabled="true" >> type="MySiteMapProvider"></add> >> </providers> >> </siteMap> >> And again - my provider works perfectly. The problem is, I need to >> prune back menu items (or nodes within the provider) so that the >> current user sees the appropriate menu items. >> >> I think I've hit the end of the Internet - I've scoured every >> resource I know and I'm pretty much at a standstill. >> >> thanks again! >>
I know there is not a tremendous amount published yet in this area.
Best of luck. -- Scott http://www.OdeToCode.com/blogs/scott/ [quoted text, click to view] On Fri, 15 Jul 2005 18:27:28 GMT, "RCS" <rseder@gmail.com> wrote:
>Hiya, > >I'm already doing that - I inherited from StaticSiteMapProvider - and the >menu is populated correctly with ALL possible menu options (from a SQL >databsae) - including menu options inappropriate for some users. > >Assuming my inherited is named MySiteMapProvider - I have this in my >web.config: > ><siteMap defaultProvider="MySiteMapProvider" enabled="true"> > <providers> > <clear/> > <add name="MySiteMapProvider" securityTrimmingEnabled="true" >type="MySiteMapProvider"></add> > </providers> ></siteMap> > >And again - my provider works perfectly. The problem is, I need to prune >back menu items (or nodes within the provider) so that the current user sees >the appropriate menu items. > >I think I've hit the end of the Internet - I've scoured every resource I >know and I'm pretty much at a standstill. > >thanks again! >
Not much except for here: http://msdn2.microsoft.com/library/e468hxky.aspx
Some good forum posts at http://forums.asp.net/search/SearchResults.aspx?q=securitytrimming&f=&u= too. --JF [quoted text, click to view] "Scott Allen" wrote:
> I know there is not a tremendous amount published yet in this area. > Best of luck. > > -- > Scott > http://www.OdeToCode.com/blogs/scott/ > > On Fri, 15 Jul 2005 18:27:28 GMT, "RCS" <rseder@gmail.com> wrote: > > >Hiya, > > > >I'm already doing that - I inherited from StaticSiteMapProvider - and the > >menu is populated correctly with ALL possible menu options (from a SQL > >databsae) - including menu options inappropriate for some users. > > > >Assuming my inherited is named MySiteMapProvider - I have this in my > >web.config: > > > ><siteMap defaultProvider="MySiteMapProvider" enabled="true"> > > <providers> > > <clear/> > > <add name="MySiteMapProvider" securityTrimmingEnabled="true" > >type="MySiteMapProvider"></add> > > </providers> > ></siteMap> > > > >And again - my provider works perfectly. The problem is, I need to prune > >back menu items (or nodes within the provider) so that the current user sees > >the appropriate menu items. > > > >I think I've hit the end of the Internet - I've scoured every resource I > >know and I'm pretty much at a standstill. > > > >thanks again! > > >
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |