problem with sitemap and role

hertendreef · June 19th, 2007, 05:33 PM

Hi,

I have a problem with sitemap combined with role. I posted in the professional group but i reformulated here and made the things simplier:

there are two defined users: user1 and user2
there is one role: manager
user1 belongs to the role manager; user2 not.

there are three pages (page1.aspx, page2.aspx and page3.aspx).
page1.aspx is only reserved for role manager (user1)
page2.aspx and page3.aspx is for all users.

the sitemap is:
-------------
<siteMapNode url="page1.aspx" title="pg1" roles="manager" >
        <siteMapNode url="page2.aspx" title="pg2" roles="*" >
        </siteMapNode>
        <siteMapNode url="page3.aspx" title="pg3" roles="*" >
           </siteMapNode>
      </siteMapNode>

i read somewhere on internet this:
"If the current user is in a role specified in the node's Roles property, or if Roles is "*", the node is returned. "
"If the current user is not in a role specified in the node's Roles property, then a URL authorization check is performed to determine whether the user has access to the node's URL. If the answer is yes, the node is returned. "

so i put a URL authorization in the web.config:
-----------------------------------------------------------------

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <appSettings/>
    <connectionStrings/>

  <system.web>
  <roleManager enabled="true" />
  </system.web>

  <location path="page1.aspx">
    <system.web>
      <authorization>
        <deny users="*" />
       </authorization>
    </system.web>
  </location>

   <system.web>

        <compilation debug="false" strict="false" explicit="true" />
        <pages>
            <namespaces>
                <clear />
                <add namespace="System" />
                <add namespace="System.Collections" />
                <add namespace="System.Collections.Specialized" />
                <add namespace="System.Configuration" />
                <add namespace="System.Text" />
                <add namespace="System.Text.RegularExpressions" />
                <add namespace="System.Web" />
                <add namespace="System.Web.Caching" />
                <add namespace="System.Web.SessionState" />
                <add namespace="System.Web.Security" />
                <add namespace="System.Web.Profile" />
                <add namespace="System.Web.UI" />
                <add namespace="System.Web.UI.WebControls" />
                <add namespace="System.Web.UI.WebControls.WebParts" />
                <add namespace="System.Web.UI.HtmlControls" />
            </namespaces>
        </pages>

        <authentication mode="Forms" />

      <siteMap defaultProvider="AspXmlSiteMapProvider" enabled="true">
        <providers>
          <clear/>
          <add name="AspXmlSiteMapProvider" type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.3600.0,

Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
            siteMapFile="web.sitemap" securityTrimmingEnabled="true"/>
        </providers>
      </siteMap>
    </system.web>
</configuration>

When logging as user1, i see the three pages (that's ok).
When logging with user2, i see nothing.

Because user2 is not in the role for page1, the Url authorization takes place and this page1 is hidden, but why the two others? there are roles="*" on each line in web.sitemap.

Later,I added this in web.config for testing: but this gives exactly the same: user1 sees all 3 pages, user2 nothing!

<location path="page2.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

Thanks
H.

gbianchi · June 20th, 2007, 07:24 AM

hi there... I don't know much about this subject, but looks like that page 2 and 3 are child of page 1, so if it hidden for user2, it will also hidden the childs.

HTH

Gonzalo

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from dparsons signature and he Took that from planoie's profile
================================================== =========
My programs achieved a new certification (can you say the same?):
WORKS ON MY MACHINE
http://www.codinghorror.com/blog/archives/000818.html
================================================== =========
I know that CVS was evil, and now i got the proof:
http://worsethanfailure.com/Articles...-Hate-You.aspx
================================================== =========

hertendreef · June 20th, 2007, 01:12 PM

thanks for replying ...

i changed web.sitemap into this:

<siteMapNode title="pg1" roles="manager">
     <siteMapNode url="pagina1.aspx" title="pg1" roles="manager" >
     </siteMapNode>
        <siteMapNode url="pagina2.aspx" title="pg2" roles="*" >
        </siteMapNode>
        <siteMapNode url="pagina3.aspx" title="pg3" roles="*" >
           </siteMapNode>
      </siteMapNode>

with same problem ....

gbianchi · June 20th, 2007, 01:20 PM

still the same issue.. if pg1 has only manager role accepted, it will not show the rest of the page...
if you allow the sitemap for * doesn't work the way you want??? because you are still surrounding page2 and 3 with a manager role....

HTH

Gonzalo

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from dparsons signature and he Took that from planoie's profile
================================================== =========
My programs achieved a new certification (can you say the same?):
WORKS ON MY MACHINE
http://www.codinghorror.com/blog/archives/000818.html
================================================== =========
I know that CVS was evil, and now i got the proof:
http://worsethanfailure.com/Articles...-Hate-You.aspx
================================================== =========

hertendreef · June 20th, 2007, 02:58 PM

yes, that's it:

<siteMapNode title="" roles="*">
    <siteMapNode url="pagina1.aspx" title="pg1" roles="manager" >
    </siteMapNode>
    <siteMapNode url="pagina2.aspx" title="pg2" roles="*" >
    </siteMapNode>
    <siteMapNode url="pagina3.aspx" title="pg3" roles="*" >
    </siteMapNode>
  </siteMapNode>

thanks, but i find amazing that it's nowhere explain clearly ...

Imar · June 20th, 2007, 03:36 PM

Quote:

quote:Originally posted by hertendreef
thanks, but i find amazing that it's nowhere explain clearly ...

It's not? Try this:

http://www.google.com/search?hl=en&s...=sitemap+roles

Then read the first 8 articles or so and follow the links from those articles. You'll find some useful stuff like:

http://msdn2.microsoft.com/en-us/library/ms178428.aspx
http://msdn2.microsoft.com/en-us/library/ms178428.aspx
http://blogs.ipona.com/davids/archiv...03/02/699.aspx
http://blogs.ipona.com/davids/archive/2004/10/16.aspx

From the first link you want to read the section "Selecting Roles to Prevent Unintentional Trimming"

If your only goal is to *hide* all links that a user doesn't have access to, you don't have to do add the roles attribute in the config file. All you need to do is set securityTrimming to true, add authorization elements (using location tags or separate web.config files) to the web.config and NET handles the rest. Pages a user can't access are hidden by default.

While it may appear as odd at first, the Roles attribute is used to *expand* the number of nodes a user can see beyond their normal access rights. However, they still won't be able to see the actual pages, and get the Login screen if they try.

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

hertendreef · June 21st, 2007, 05:22 PM

Thanks for info ..