Wrox Programmer Forums
|
BOOK: ASP.NET 3.5 Enterprise Application Development with Visual Studio 2008: Problem Design Solutio
This is the forum to discuss the Wrox book ASP.NET 3.5 Enterprise Application Development with Visual Studio 2008: Problem Design Solution by Vincent Varallo; ISBN: 9780470396865
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET 3.5 Enterprise Application Development with Visual Studio 2008: Problem Design Solutio section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old May 25th, 2009, 04:20 PM
Authorized User
  
Join Date: Apr 2009
Posts: 23
Thanks: 0
Thanked 0 Times in 0 Posts
Default NoAccessToPage exception
Hi,

While testing I observed that an administrator, say who has edit access to the roles role
can empty the users in role listbox and/ or give themselves Read Only access thereafter
the only way out is to either log in under a different user or go to the database and re-instate the administrator.

I agree no one should be foolish enough to do the above but it is possible. How can the code cater for that?

regards
 
Old May 26th, 2009, 05:23 PM
Authorized User
  
Join Date: Mar 2009
Posts: 79
Thanks: 4
Thanked 4 Times in 4 Posts
Default
With great power comes great responsibility.

I wouldnt even have thought to try that out, but wow, that is a potentially dangerous behavior.
As an Administrator on a system you cant gimp them to where they can not completely modify whatever. However, I would agree that an administrator account should not be able to be set to read-only. When I get around to it, I will look at making a change to only allow for admin accounts to be deletable from other admin accounts. Another thought would be to make a rule where, there has to be atleast 1 admin account present, ie if an account is marked as admin and is the only one it can not be deleted.

The last part can be done via SQL query where you use the COUNT function to check for the number of admin accounts, if > 1 then deletion is allowed else no. This can be easily implemented into the Validate Delete method, to prevent deletion of the only admin account.

Let me know if you need more help.
 
Old June 1st, 2009, 12:49 PM
Authorized User
  
Join Date: Apr 2009
Posts: 23
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Hi,

Thanks for your reply. Rumour has it, one day an admin who was off sick passed his credentials over the phone to a less senior employee to solve an urgent problem. Thereafter, everyone including plant operators knew the admin username and password.

Yes, in my trade (engineering) the admin credentials become common knowledge. It should not happen but t it does.

The problem happens because the user who wiped his/her rights out should not be in the page they are in, so when they save they get the exception.

My thoughts on it so far rather than throwing an exception just redirect to the home page and an admin should re-create the admin account from the database. Or create an admin account than can't be altered and always has "Edit" capability only; and that means, another access type that does not include "none".

regards
Last edited by luckystar; June 1st, 2009 at 12:53 PM..





Similar Threads
Thread Thread Starter Forum Replies Last Post
COM Exception muralidharan.d VS.NET 2002/2003 0 August 7th, 2007 02:49 PM
Exception in chapter9 james.zeng BOOK: Beginning Cryptography with Java 2 January 11th, 2007 04:06 PM
Exception when transforming using ksskumar XSLT 1 October 10th, 2006 02:33 AM
Exception Ochi C# 1 January 15th, 2006 11:38 PM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.