ASP MVC Elegant UI And ModelBinder Authorization?
Apr 29, 2010
We know that authorization's stuff is a cross cutting concern, and we do anything we could to avoid merge business logic in our views. But I still not find an elegant way to filter UI components (e.g. widgets, form elements, tables, etc) using the current user roles without contaminate the view with business logic. same applies for model binding.
Example
Form: Product Creation
Fields:
Name
Price
Discount
Roles:
Role Administrator
Is allowed to see and modify the Name field
Is allowed to see and modify the Price field
Is allowed to see and modify the Discount
Role Administrator assistant
Is allowed to see and modify the Name
Is allowed to see and modify the Price
Fields shown in each role are different, also model binding needs to ignore the discount field for 'Administrator assistant' role.
View 3 Replies
Similar Messages:
Mar 29, 2011
I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...
My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:
[Authorize(Roles="Administrators")]
However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:
[code]....
However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.
If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.
View 1 Replies
Mar 8, 2011
We are wanting to upgrade from one version of jQuery to another. We use various online plug-in's and have written many of our own. The challenge now comes in the form of trying to SLOWLY MIGRATE all your scripted objects SLOWLY without a complete re-write. I have an idea on HOW to handle this:
BUT I HAVE QUESTIONS:
Is the idea below even a good idea? Can I (directly) tell each jQuery object where dependencies live?
If this is a bad idea...how do YOU handle it? Do I simply re-write EVERY object that happens to break upon upgrading? (sux!)
[Code].....
View 1 Replies
Sep 30, 2010
I'll try to make this concise. Anyways, I'm trying to only allow unique data to my database. my database. What I did before adding the entry is to use a Search Query for the value of the txtbox
"SELECT IDnum WHERE IDnum = '" & txtID & "'"
Then compare it with that of the txtbox.
IF objReader("IDNum") <> txtID.textbox then add the entry Else Display a Warning.
in the above code, I can detect the when the user entered an existing value. however, If the user entered a NEW (unique) value an error is Raised "Invalid attempt to read when no data is present" I hit the wall with this.So what I did, Since I can detect Duplicates and have errors when entering unique value, I used the
ON ERROR GOTO statement: I did it like this.
On Error Goto errHandler
If objReader("IDNum") = txtID.textbox then
lbl1.text = "Existing Record"
objReader.close() [code]....
The Code does what I need but its kinda long, I bet there is an elegant way to do this.
View 3 Replies
Jun 28, 2010
When a user attempts to directly visit the url admin.aspx, and they are not an admin, they are redirected to the login page. However, the user then attempts to visit ViewWeek.aspx, it indicates that they are still logged in. Why does this ASP.NET authorization boot the user to the login screen, yet keep the user logged in? I'd rather it just direct the user to the default URL specified in the forms tag.
Here's my Forms Authentication:
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" defaultUrl="ViewWeek.aspx" timeout="50000000" />
</authentication>
View 1 Replies
Jun 7, 2010
I have a class:
[Code]....
Then another class, for ProjectCustomer:
[Code]....
My view is the same as any standard auto-created view, with properties set using the likes of:
[Code]....
In my edit page, for editing the fields for these classes, everything works fine, the model binder works, and validation works. In my create page, only the Project class properties get set and the ProjectCustomer properties remain null. I've tried everything I can think of from manually instantiating a new ProjectCustomer before calling TryUpdate model, to letting MVC handle the lot by including the class as a paramater for the action. The values are being passed just fine, as I've tried a FormCollection too and in the debugger the FormCollection contains all the correct fields (i.e. Customer.Name etc.) yet no matter what the ModelBinder just wont attach the inputs to the Customer object inside the Project object, but will only not do this on the Create action, and does it fine for the Edit action even though the code is almost entirely identical.
why the ModelBinder is just refusing to bind for the Create action and no other? What steps can I perform to debug the ModelBinder when it's not working properly like this?
I've tried every combination of things I can think of under the sun, and simply can't understand why it works for one action, but not for another, especially when the code I've used is fairly basic. I'll note that these classes were intended as MetaData classes hence their pointless seeming simplicity, but as part of trying to track down the problem I've stripped them to the bare bones setup above, and still no luck.
Under what circumstances does the ModelBinder decide not to fill the properties of a sub-object?
View 2 Replies
Jan 12, 2011
just a general design question that I'd like to hear some of your opinions on. I am designing a system for a client, and I'm using GridView' a lot. They need a lot of columns to be displayed in some of these, and I've had to resort to using a panel with a horizontal scrollbar. This presents some issues - keeping track of which row is which is difficult, even with alternating row colours, and it's generally pretty ugly.How have you dealt with these issues before?
View 1 Replies
Jan 25, 2011
This project is pretty far away and I'm not in the position to go make changes all over the place (If I could, deleting the lot would be what I'd do!)
I want to create a modelbinder that would resolve any dependencies my View Models might have (using StructureMap).
It should not require me to implement a specific interface (so many developers, so many interfaces..I rather keep things clean) and hopefully not require one to go register each model binder individually (Now I'm asking too much,taking the first requirment
in consideration).
Probably will get it right tonight, but figured I'd ask.
View 3 Replies
Mar 29, 2010
I'm starting with EditorTemplates and I have this situation: I have and fild int that represents and phone number. In EditorTemplate I'll separate it in 2 textbox. But How can I join (concatenate) it in my action? If possible, I want to still use ModelBinder.
View 1 Replies
Feb 22, 2010
I'm trying to bind the selections in a multiple selection SELECT, to an IList input in the controller.
<select name="users" multiple="multiple">
<option>John</option>
<option>Mary</option>
[code]...
View 2 Replies
Apr 26, 2010
Our team has recently implemented a role permission based authorization so that we can have granular control. This is similar to what Rockford Lhotka suggests herehttp://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx I have also read about the Claims based authorization which to me looks very similar to what we have. Can some one put in simple terms what the advantages of claims based authorization are.
View 1 Replies
Apr 29, 2010
[Code]....
[Code]....
[Code]....
[Code]....
Given the above scenario, I would have thought that submitting the form with a blank ProductId would have been fine because I didn't decorate the ProductId property with [Required]. However I get the error message "The ProductId field is required".
Is there any way to make an Integer property on the model not required?
View 2 Replies
Feb 23, 2010
I've an Admin area and I want only Admins to enter the area. I considered adding the Authorized attribute to every controller in the Admin area. Isn't there an elegant solution or is this feature not there in the framework itself?
EDIT:
I should to have mentioned this before. I'm using a custom AuthorizedAttribute derived from AuthorizeAttribute.
View 3 Replies
Jan 31, 2011
was wondering how do I make it so when a user goes to a page its only displayed if he is logged in and secure, but if he is not logged in he is redirected to the login page?
View 4 Replies
Apr 3, 2011
Iam using forms authentication in asp.net Application,i want to make pages accessible depending upon roles defined in database. for eg there are three rolesdefined in database salary admin, manager, Clerk. i want a page salary.aspx can be accessed only by salary admin and not any other roles.
View 1 Replies
Sep 2, 2010
I have a problem using windows authentication and the authorization-tag in web.config for my asp.net application. When I host the application in IIS (both in IIS 6 and IIS 7) the authorization-tag is ignored. When I run the application in asp.net development server that comes with visual studio 2010, it works perfect.
Why will it not work in IIS? And how to solve it?
[code]....
View 1 Replies
Sep 4, 2010
I have the usual requirement of implementing Authentication and Authorization. I used to implement it using custom code where I have Users, Roles, Role_Pages, User_Pages, and User_Roles. So this way we can give a certain user roles (that group multiple pages) and/or directly define access to certain pages. All that with the ability to specify fine grained permissions like the ability to Add/Edit/Delete records in those pages.
My question: How easy is it to implement this using Forms Authentication and what advantage does that give over implementing a custom solution. I am also concerned with knowing if there would be any advantage when it comes to securing from session hijacking and against spoofing where an attacker could replay requests and impersonate legit users. Would Forms Authentication have any advantage there, or is it only SSL that can secure against that (which makes both approaches equal in that regard).
View 2 Replies
Apr 21, 2010
What is the authentication mode available in ASP.NET? How do you set authentication mode in the ASP.NET application? How do you provide secured communication in ASP.NET? List out the difference between windows authentication and form authentication. ?
View 3 Replies
Feb 16, 2010
'm using Visual studio 2005 with C# on .NET framework 2.0.. I am implementing forms authentication in this project but the problem is when I'm on registration form ( outside login) and try to open any window on that form using java script (window. open) it redirects me to login page. How should i tackle this problem?
View 1 Replies
Jun 4, 2010
I am using forms authentication in my ASP.NET MVC application. I want to the signup page from the authorization process. I know I can add a location tag in my main web.config file or create a new web.config inside the specific folder. But I just to exclude one specific action in the User controller. How do I do it?
View 4 Replies
Dec 6, 2010
I am using forms authentication with ASP.NET MVC. Within web.config at application level I can set the paths that I require authentication to as follows;
<location path="subdir1">
<system.web>
<authorization>
<allow users ="?" />
</authorization>
</system.web>
</location>
subdir1 is folder name within the Views folder. This works for the web page routing as [URL] However, if my subdir1 is under another dynamically created route, this setting does not work. For instance; [URL] does not request authentication. dynamic is created at runtime and web.config does not know about it at application start but it should not care about it, I just want it to ask for authentication whenever there is an access to subdir1 route. Is there any way that I can set the location's path attribute for this case? or do you have any other way to solve this issue?
View 2 Replies
Apr 21, 2010
How's authorization supported in Telerik's MVC extensions? I am particularly interested in two cases:
tabs
grid row editing/deleting/inserting
View 1 Replies
Mar 6, 2011
I have several sections
<location path="Page1.aspx">
<system.web>
<authorization>
<allow roles="superadmin"/>
[Code]....
I want to make a redirect to the specified page if authorization failed. And this is not general page. I want to make a specific redirect based the page user wants to open. How it can be done?
View 3 Replies
Mar 1, 2011
My website is open only for authorized users, so I denied the anonymous users. but the problem is the style is corrupted because it's not allowed to anonymous users to access to the Style folder.How can I except the style folder from the Authorization ?
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
View 1 Replies
Dec 16, 2010
I am creating MVC e-commerce website.
There is an "Add to Cart" button on product detail page, and If I click the button, it should be directed to login page.
After I login, it should be re-directed to the product detail page.
"Add to Cart" button is a CartConroller action.
In CartController.cs :
[Code]....
In AccountController.cs :
[Code]....
the product should not be added into the cart before login, so I put [Authorize] on AddToCart action.
however if I click the "add to cart" button, it directs to the login page, and if I login, it gives me an error because it lost all the AddToCart action's parameter information(e.g. Cart cart, int productId, string returnURL)
View 3 Replies