1. 技术文章
  2. Restricting certain page functionality or user interface to authenticated users in Asp.Net

Restricting certain page functionality or user interface to authenticated users in Asp.Net

放肆的年华 提交于 2019-12-10 16:37:46

问题


I am using Asp.Net/C# to build an application.I am using Forms Authentication.I have a requirement such that many of my authenticated (not anonymous) users are restricted to certain page functionalities or user interface.I guess the Login Control could be used for only Authenticated vs Anonymous users.So my question is when I know that certain page component is to be hidden from particular authenticated users , how do I go about it.Do you think I need to use this on the page_load event to hide the components for the pages which have such requirements.

// Is this Tito visiting the page?
string userName = User.Identity.Name;
if (string.Compare(userName, "Tito", true) == 0)
 // This is Tito, SHOW the Delete column
 FilesGrid.Columns[1].Visible = true;
else
 // This is NOT Tito, HIDE the Delete column
 FilesGrid.Columns[1].Visible = false;

Are there better approaches to accomplish this.Any help is much appreciated.Thanks


回答1:


Here you can use the Membeship User class and RolePrincipal to separate the users.

if(HttpContext.Current.User.IsInRole("Level1"))
{
    FilesGrid.Columns[1].Visible = true;
}
else
{
    FilesGrid.Columns[1].Visible = false;
}

So you make and place your user in different membership names, and then you show them different controls that are depend on the membership role.

Some links:

http://msdn.microsoft.com/en-us/library/ff648345.aspx

http://msdn.microsoft.com/en-us/library/system.web.security.roleprincipal.isinrole.aspx




回答2:


You also need to know that, when you just hide a control, it's base64 encoded value is still present in the viewstate. The client is able to read it.

The client can also read which hidden control triggers an action. And nothing prevents a "smart" client from triggering this action.

So :

  • restricted access values should not be bound to the controls, if you don't want to display it (prerender is not called on not visible controls. So doing your binding in prerender is a good habit)
  • you should always add another access control check inside your event handlers, to see if the call is authorized


来源:https://stackoverflow.com/questions/10186549/restricting-certain-page-functionality-or-user-interface-to-authenticated-users

标签
c#
ASP.NET
forms-authentication
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!