Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6
This is the forum to discuss the Wrox book ASP.NET 2.0 Instant Results by Imar Spaanjaars, Paul Wilton, Shawn Livermore; ISBN: 9780471749516
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old May 18th, 2007, 07:49 PM
b67 b67 is offline
Authorized User
 
Join Date: Sep 2006
Location: , , .
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to b67
Default Wrox File Share - Admin Role defunct

In my setup the web.config in the managnment folder does not seem to overide the main web.config - I created an Admin role but any user of the site can get into the folder

Any ideas where I can troubleshoot?

Thanks in Advance

 
Old May 18th, 2007, 08:01 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

This makes no sense.

By design, a web.config in a specific directory will override the root web.config

http://www.codeproject.com/aspnet/multipleWebConfig.asp

How is your secondary web.config setup? Do you have your authorization setup correctly in the second file?

        <authorization>
            <allow roles="administrators" />
            <allow users="Admin"/>
            <deny users="?" />
        </authorization>

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
 
Old May 18th, 2007, 08:58 PM
b67 b67 is offline
Authorized User
 
Join Date: Sep 2006
Location: , , .
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to b67
Default

I created a user 'cf' which is assigned to no role - so this user should not be able to properly login - right? Well this user can actually do everything the admin can.

My web.config looks like

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <system.web>
        <authorization>
            <allow roles="admin" />
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>

Using the application admin tool Under "manage access rules"
Permission-- Users and Roles --- Delete
Allow------- admin --- Delete
Deny-------- [anonymous] --- Delete

To me it looks like the " <deny users="?" />" in the web.config is being interpreted as anonymous - which should not be part of the problem since my user is not a

Or..
Perhaps it has something to do with the fact that This is a real sql server- not sql express? At first roles were not enabled in the MS membership settings - at that time any user could get in the folder - now I enalbed roles and created the admin role - nd still same problem

 
Old May 18th, 2007, 09:22 PM
b67 b67 is offline
Authorized User
 
Join Date: Sep 2006
Location: , , .
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to b67
Default

Ok so If I create a role called "regular" and assign a user this sole role - then in the mangment folder's web.config set

            <allow roles="admin" />
            <deny roles="regular" />

The login will come up again when I enter the correct credentials - this makes sense since its setup to explicitly deny the 'regular' role - but if I remove the deny roles line - I would expect the same behavior though it would be implicit, since the only allowed role is 'admin' - am I wrong? It apparently seems so - it looks like the 'allow roles' does not really have an effect since my user is in the 'regular' role and can still access the pages in the folder - unless I specifically deny the 'regular' role

sorry for repeating myself I'm just trying to get my point across

Just trying to get an idea of how this works,thanks for your input

 
Old May 19th, 2007, 02:26 AM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

The role mechanism reads from top to bottom and exits on the first role or user that matches. If you don't explicitly block things, users can still access the pages. So, you need to change it to this:

<allow roles="admin" />
<deny users="*" />

Although it seems you're blocking *all* users (due to the *), the admin role can still log in....

Imar
 
Old May 19th, 2007, 10:42 PM
b67 b67 is offline
Authorized User
 
Join Date: Sep 2006
Location: , , .
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to b67
Default

Thanks for the explanation - I'm happy to find out this is the way it works vs the way ntfs permissions work





Similar Threads
Thread Thread Starter Forum Replies Last Post
Wrox File Share c# Code b67 BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 1 August 16th, 2007 12:42 PM
Wrox File Share - 1g file size limit b67 BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 3 May 7th, 2007 04:24 PM
Logging in as Administrator, no Admin role? cavanami BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 20 February 5th, 2007 06:04 PM
moderator role into the admin panel kherrerab BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 5 October 6th, 2006 11:25 AM
Wrox Blog Admin addstravel BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 1 April 23rd, 2006 05:41 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.