How can I limit asp.net control actions based on user role?

Question

I have several pages or views in my application which are essentially the same for both authenticated users and anonymous users. I'd like to limit the insert/update/delete actions in formviews and gridviews to authenticated users only, and allow read access for both authed and anon users.

I'm using the asp.net configuration system for handling authentication and roles. This system limits access based on path so I've been creating duplicate pages for authed and anon paths.

The solution that comes to mind immediately is to check roles in the appropriate event handlers, limiting what possible actions are displayed (insert/update/delete buttons) and also limiting what actions are performed (for users that may know how to perform an action in the absence of a button.) However, this solution doesn't eliminate duplication - I'd be duplicating security code on a series of pages rather than duplicating pages and limiting access based on path; the latter would be significantly less complicated.

I could always build some controls that offered role-based configuration, but I don't think I have time for that kind of commitment right now.

Is there a relatively easy way to do this (do such controls exist?) or should I just stick to path-based access and duplicate pages?

Does it even make sense to use two methods of authorization? There are still some pages which are strictly for either role so I'll be making use of path-based authorization anyway.

Finally, would using something other than path-based authorization be contrary to typical asp.net design practices, at least in the context of using the asp.net configuration system?

Answer 1

The best approach will be to add a property on a custom control saying Roles or something that will allow the users of such roles to view the control. Since, you do not have time for that you can make a helper method which will deal with the visible property of the control. Something like this:

<asp:Button id="UpdateButton" runat="server" Visible="<%# IsInRole("Admin") %>" /> 

You can also make your own helper method that checks for more criteria.

Answer 2

To display the controls, You could use asp:LoginView.

http://www.codedigest.com/Articles/ASPNET/78_LoginView_Controls_with_Roles_in_ASPNet_20.aspx

for "users that may know how to perform an action in the absence of a button",

you could use if User.IsInRole("Role_name") then ... before doing your update stuff. you could also add security to function by using :

<PrincipalPermission(SecurityAction.Demand, role:="Role_name")> _

https://web.archive.org/web/20190829043329/http://www.4guysfromrolla.com/webtech/121901-1.2.shtml