(Chapter 4)
I don't understand what I did wrong.

This is my sitemap:
This is web.config (part)

When I run web site the Admin menu item is not hidden though I didn't login.
What is wrong?

Yevi,

You might take a look about 3/4 of the way down in the web.config for an entry like this, there should be several similar entries for "Posters", but this one is for admin
Steve

But there is no such section in the book and nor in the downloaded code!!

Hi Yevi,

Please read on page 170 of the TBH book, The Administration Section; this paragraph does talk about this. In this case it is dealing with web Admin/Web.config, which limits access to specific pages in the admin section by role, this is what turns on and off the panels in the Admin/Default.aspx.

At the bottom of the main TBH web.config are similar authorizations for specific pages. I did add the authorization block I posted above; it is for the entire admin directory rather than page by page. It is in essance a belt and suspenders approach to lock down the admin section (the main config locks the directory and the admin config locks the individual pages).

At one point in creating one of my own sites I did run into a situation that you are apparently in, where the Admin menu was not hidden. I think I eventually traced it to a misspelling or capitolization issue between the Role stored in the database and the role listed in the web.sitemap.

Steve

I still can't make it work.
I've added this section to the web.config
I made sure that "Administrators" role exits in database (using the asp configuration Tool).

But I still see the "Admin" menu item on the default page of the site.

p.s. the book pages don't match because i have a Russian version of the book :)

Hi Yevi,

The authorization sections in the web.config files are used to allow or deny access to the directories or pages. The roles in the sitemap is what should be displaying or hiding the menu items depending on the user's current role. Ideally these work in tandem, if you can't see it you can't access it, if you can see it you can access it.

As I mentioned in my previous post at one point I too had the problem of seeing the Admin menu item when I wasn't logged in. I don't remember if it was a misspelling or something was corrupt in a file. I do remember fighting with it for a few days before it was resolved, unfortunately I don't remember what I specifically did to correct the problem, I tried many many things. I may have replaced the sitemap file or even rebuilt the database. I'd suggest starting with the simplest; do the roles in the database and sitemap exactly match each other? (copy and paste from one to the other, trailing space in the database record?). If that doesn't work remove the entire sitemap node for admin and recreate it or copy the sitemap contents to a new file, delete the old sitemap file, create a new one and paste the contents of the old into the new.

You original code looks OK.

Yevi,

I had the same issue as you.

Try adding a web.config file in the Admin folder that looks like:

<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>

Yes,
I did that already.
Thanks