Hide a link from users that do not have permission?

I have a very basic site with 3 pages (Login, Query and Add). I have set up my web.config file to allow 4 users access to the site, and 2 of those users are allowed on the Add page.

My question is, is there a way to hide the "Add" page link on Query.aspx from the users that are not allowed to access that page?

Here's the site structure...

Login.aspx - is a login form. I used Forms Authentication with Active Directory, and in web.config I provided a list of users that are able to log in to the site. There are 4 allowed users: jdoe, asmith, mbrown, and bjones. After login the users are redirected to Query.aspx.

Query.aspx - a page that searches a database. All 4 allowed users can access this page. This page has a link to Add.aspx. I want to hide this link from mbrown and bjones.

Add.aspx - adds a record to the database. Only 2 of the allowed users (only jdoe and asmith) are be allowed to access this page.

Part of web.config (some stuff omitted to save space):

<configuration>
<system.web>
<authentication mode="Forms">
<forms
loginUrl="/MySite/Login.aspx"
name = ".ASPXFORMSAUTH"
/>
</authentication>
<authorization>
<allow users="jdoe,asmith,mbrown,bjones"/>
<deny users="*"/>
</authorization>
</system.web>

<location path="Add.aspx">
<system.web>
<authorization>
<allow users="jdoe,asmith"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>

I need to do something similar to what you are doing but have not started on it. Any info would be great. :)

Is it a Web Control HyperLink? You could check which user is logged in and then show/hide the hyperlink with the visible property.

Good luck;

Are you making use of the datagrid to display the data when the users search from the database? That is if you are using Visual Studio, or i figure from your codes you could be using Dreamweaver. Or what software are you using ? As far as i know, VS specializes in ASP.Net, their features are much more user friendly and saves you quite a fair bit of time.

Brandoe85:

The link is actually a LinkButton control. I guess I could make it a hyperlink, now that I think about it. So how do I check which user is logged in?

Plasterx:

I am using Visual Studio. And yes I am using a DataGrid to display the search results. I don't see what that has to do with my question?

Thanks for the replies!

A link button is Ok. If it's a Web Control you can use the visibility property to show and hide it. On you login form, do you save the username on a successful login? Say save it in a session variable, then on your page, you can check the value of the session variable to determine if they should be able to see the link.

Good luck

I don't save the username, but I could easily. The code I would use to check the usernames is below. The problem is, that then I would have to have the usernames in the aspx code. Isn't that a security risk? I don't want these usernames to be found out by random people. I don't really know a lot about security, so I might be way off here. Is putting the usernames into the code something that I should worry about?


private void Page_Load(object sender, System.EventArgs e)
{
if(Session["Username"] == "mbrown" || Session["Username"] == "bjones")
{
this.linkAdd.Visible = false;
}
else
{
this.linkAdd.Visible = true;
}
}



ETA: If there were some way I could read or reference the web.config file to get the allowed usernames, that would be way better. Something like

if (the session username is in the "allowed" list for location path="Add.aspx")
{
show link
}


Is this possible??

You could add in a section of your own to your webconfig file that has the users that are not allowed to see the link and then check your session to the list. I don't see a problem with you hardcoding them in, but I would think it would grow harder to maintain if you ever wanted to add more users. If you want you can add a section in your webconfig file like this:

<configuration>
<appSettings>
<add key="HiddenUsers" value="mbrown, bjones" />
</appSettings>
<system.web>

..etc


Now, you can go about this a few different ways, you can check the session with IndexOf() and see if it exists:

if(System.Configuration.ConfigurationSettings.AppSettings["HiddenUsers"].IndexOf(Session["Username"].ToString()) != -1)
{
this.linkAdd.Visible = false;
}

I don't see a need for the else statement, as long as you're link button is visible by default. But if you go this route, say you logged in as bjones or mbrown. Great, they won't see the link, but if you logged in as bjone or something they also wouldn't be able to see the link, becasue that string would match. So, another option could be to split based on the comma:

string[] HiddenUsers = System.Configuration.ConfigurationSettings.AppSettings["HiddenUsers"].Split(",".ToCharArray());
for(int i = 0; i < HiddenUsers.Length; i++)
{
if(Session["Username"].ToString() == HiddenUsers[i].Trim())
{
this.linkAdd.Visible = false;
}
}

This would match the names exactly and you wouldn't let any sneak by.

Good luck :)

Brando, you're a genius. I'm just starting out with C# and .NET so I didn't know you could get to the web.config file using System.Configuration.ConfigurationSettings.AppSettings. Thanks for all your help!

Great! Keep it up :)

Adding certain things that are constants throughout your application to the webconfig can come in handy, another good example is adding your connection string in there as well.