Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New Coder
    Join Date
    Oct 2004
    Posts
    64
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Hide a link from users that do not have permission?

    I have a very basic site with 3 pages (Login, Query and Add). I have set up my web.config file to allow 4 users access to the site, and 2 of those users are allowed on the Add page.

    My question is, is there a way to hide the "Add" page link on Query.aspx from the users that are not allowed to access that page?

    Here's the site structure...

    Login.aspx - is a login form. I used Forms Authentication with Active Directory, and in web.config I provided a list of users that are able to log in to the site. There are 4 allowed users: jdoe, asmith, mbrown, and bjones. After login the users are redirected to Query.aspx.

    Query.aspx - a page that searches a database. All 4 allowed users can access this page. This page has a link to Add.aspx. I want to hide this link from mbrown and bjones.

    Add.aspx - adds a record to the database. Only 2 of the allowed users (only jdoe and asmith) are be allowed to access this page.

    Part of web.config (some stuff omitted to save space):
    Code:
    <configuration>
    	<system.web>
    		<authentication mode="Forms">
    			<forms
    				loginUrl="/MySite/Login.aspx"
    				name = ".ASPXFORMSAUTH" 
    			/>
    		</authentication>    
    		<authorization>
    			<allow users="jdoe,asmith,mbrown,bjones"/>
    			<deny users="*"/>
    		</authorization>
    	</system.web>
    
    	<location path="Add.aspx">
    		<system.web>
    			<authorization>
    				<allow users="jdoe,asmith"/>
    				<deny users="*"/>
    			</authorization>
    		</system.web>
    	</location>
    </configuration>
    Last edited by melissa820; 12-20-2005 at 03:08 PM.

  • #2
    New Coder
    Join Date
    Nov 2005
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I need to do something similar to what you are doing but have not started on it. Any info would be great.

  • #3
    teh Moderatorinator
    Join Date
    Sep 2004
    Location
    USA
    Posts
    2,472
    Thanks
    4
    Thanked 40 Times in 40 Posts
    Is it a Web Control HyperLink? You could check which user is logged in and then show/hide the hyperlink with the visible property.

    Good luck;

  • #4
    Regular Coder
    Join Date
    Oct 2005
    Posts
    140
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Are you making use of the datagrid to display the data when the users search from the database? That is if you are using Visual Studio, or i figure from your codes you could be using Dreamweaver. Or what software are you using ? As far as i know, VS specializes in ASP.Net, their features are much more user friendly and saves you quite a fair bit of time.
    Last edited by plasterx; 12-21-2005 at 02:44 AM.

  • #5
    New Coder
    Join Date
    Oct 2004
    Posts
    64
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Brandoe85:

    The link is actually a LinkButton control. I guess I could make it a hyperlink, now that I think about it. So how do I check which user is logged in?

    Plasterx:

    I am using Visual Studio. And yes I am using a DataGrid to display the search results. I don't see what that has to do with my question?

    Thanks for the replies!

  • #6
    teh Moderatorinator
    Join Date
    Sep 2004
    Location
    USA
    Posts
    2,472
    Thanks
    4
    Thanked 40 Times in 40 Posts
    A link button is Ok. If it's a Web Control you can use the visibility property to show and hide it. On you login form, do you save the username on a successful login? Say save it in a session variable, then on your page, you can check the value of the session variable to determine if they should be able to see the link.

    Good luck

  • #7
    New Coder
    Join Date
    Oct 2004
    Posts
    64
    Thanks
    2
    Thanked 0 Times in 0 Posts
    I don't save the username, but I could easily. The code I would use to check the usernames is below. The problem is, that then I would have to have the usernames in the aspx code. Isn't that a security risk? I don't want these usernames to be found out by random people. I don't really know a lot about security, so I might be way off here. Is putting the usernames into the code something that I should worry about?

    Code:
    private void Page_Load(object sender, System.EventArgs e)
    {
    	if(Session["Username"] == "mbrown" || Session["Username"] == "bjones")
    	{
    		this.linkAdd.Visible = false;
    	}
    	else
    	{
    		this.linkAdd.Visible = true;
    	}
    }
    ETA: If there were some way I could read or reference the web.config file to get the allowed usernames, that would be way better. Something like
    Code:
    if (the session username is in the "allowed" list for location path="Add.aspx")  
    {
    show link
    }
    Is this possible??
    Last edited by melissa820; 12-21-2005 at 03:42 PM.

  • #8
    teh Moderatorinator
    Join Date
    Sep 2004
    Location
    USA
    Posts
    2,472
    Thanks
    4
    Thanked 40 Times in 40 Posts
    You could add in a section of your own to your webconfig file that has the users that are not allowed to see the link and then check your session to the list. I don't see a problem with you hardcoding them in, but I would think it would grow harder to maintain if you ever wanted to add more users. If you want you can add a section in your webconfig file like this:
    Code:
    <configuration>
    	<appSettings>
    		<add key="HiddenUsers" value="mbrown, bjones" />
    	</appSettings>
    <system.web>
    
    ..etc
    Now, you can go about this a few different ways, you can check the session with IndexOf() and see if it exists:
    Code:
    if(System.Configuration.ConfigurationSettings.AppSettings["HiddenUsers"].IndexOf(Session["Username"].ToString()) != -1)
    {
    	this.linkAdd.Visible = false;
    }
    I don't see a need for the else statement, as long as you're link button is visible by default. But if you go this route, say you logged in as bjones or mbrown. Great, they won't see the link, but if you logged in as bjone or something they also wouldn't be able to see the link, becasue that string would match. So, another option could be to split based on the comma:
    Code:
    string[] HiddenUsers = System.Configuration.ConfigurationSettings.AppSettings["HiddenUsers"].Split(",".ToCharArray());
    for(int i = 0; i < HiddenUsers.Length; i++)
    {
    	if(Session["Username"].ToString() == HiddenUsers[i].Trim())
    	{
    		this.linkAdd.Visible = false;
    	}
    }
    This would match the names exactly and you wouldn't let any sneak by.

    Good luck

  • #9
    New Coder
    Join Date
    Oct 2004
    Posts
    64
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Brando, you're a genius. I'm just starting out with C# and .NET so I didn't know you could get to the web.config file using System.Configuration.ConfigurationSettings.AppSettings. Thanks for all your help!

  • #10
    teh Moderatorinator
    Join Date
    Sep 2004
    Location
    USA
    Posts
    2,472
    Thanks
    4
    Thanked 40 Times in 40 Posts
    Great! Keep it up

    Adding certain things that are constants throughout your application to the webconfig can come in handy, another good example is adding your connection string in there as well.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •