MVC :: Strategies For Managing Security Scope?
May 17, 2010
In this case I have a system where a user logs in, they get a dashboard and they can see all their related projects. The user can click on the project and open it. (ie /View/79) The problem the user can also just type /View/68 which they are not supposed to be able to view.
Obviously I am aware of how to filter my data, but this application has many many lists of data and it all needs to be scoped to data that user has been allowed to see. I can insert a plethora of joins and wheres in all my queries but.. it's a lot of work and a bit convoluted.So I was wondering what strategies other had used for filtering data based on the user scope.One approach I was thinking of was to extend my user-role-permission model so "permissions" could be assigned to various entitites (like projects). This way, rather than doing a series of joins etc to see confirm a user has been assigned to a project, my join is just onto the EntityPermission table to confirm the user has PermissionX (like: CanView) on that entity. I could either maintain a seperate M2M table for each entity i need to restrict or something a bit more general (but without referential integrity).
View 3 Replies
Similar Messages:
Apr 6, 2010
I want to use Context.Items to store some info of a User Control like:
Context.Items["Data"] = 5;
I want to know, Is Context.Items is for each request or it is global for the application?
View 1 Replies
Jun 5, 2010
How should one handle the situation where you may need to filter by a group of users.
Here is the scenario.
I have an administrator role in my company. I should be able to see all the data belonging to me plus all the other users who I have control over.
A plain old user however should only be able to access their own data.
If you are writing regular sql statements then you can have a security table with every user and who they have access too but i'm not sure how to handle this situation in the OO and ORM world.
Any one dealt with this scenario in a web application using an ORM?
View 1 Replies
Jan 28, 2010
I recently added Forms Authentication to a project and set it up by right-clicking on a Login control at design-time, selecting "Administer Web Site," and setting up all the users, roles, etc.
how is this to be done after the site is deployed? Would the webmaster have access to this tool? Is there some other tool available?
View 4 Replies
May 27, 2010
Initially, in my solution I had one project, and had set up all that is required for asp.net security, and that includes users and roles and access rules, etc. All of that was and still is working fine.
Now I added another project to my solution, and my first project points to pages in the second project.
The problem is that it seems like the users and roles are not being transferred accross projects. Not sure if I am explaining my problem correctly...if not, feel free to ask...
Its my first time trying to manage users and roles accross projects within a solution.
View 1 Replies
Mar 8, 2011
I've developed a web application and I've added some security features. Now i want to create a page for managing users and user access in my web application.Can anyone suggest some tutorial for managing users and access because i'm new to asp.net.
View 1 Replies
Oct 25, 2010
I've been using the CreateUserWizard to create my users as well as to assign them roles/permissions. My problem is that, once created, I have no idea how to edit or delete their details without using the Asp.net Website Administration Tool. Where can I get some extensive but easy to understand literature on the subject?
View 4 Replies
Nov 9, 2010
Can anyone point me to a sample admin page for managing users and roles (forms authentication). Something like the security section of the WSAT, but for a finished site.
View 3 Replies
Jun 16, 2010
providing template or sample code to manage users from Client side.
My Environment Details:-
Framework: 3.5
Code Behind: C#
Membership/Roles Provider: SQL Server
View 3 Replies
Oct 2, 2010
using .NET 4 and SQL Server 2008R2
I have a table of persons that used for different purposes in a database. One of those purposes is to present a list of organization contacts to users. I use a gridview and stored procedures to get the data.
On one page listing all organization contacts the client requires the order of the persons to be presented as President first, Vice President second, Secretary third, etc. I accomplished this requirement by simply entering the persons in the table in the order in which they were required to be displayed on that particular page.
But then on another contacts page the client requires only a subset of the persons in the table to be displayed, moreover, the order of the persons is to be presented as Secretary first, Office Administrator second, President third and Vice President fourth.
I have no idea how to pull the data into my gridview in the order that's required for the 2nd page. I thought about adding a column in the table that I could use to store a numeric value and then order by that value in the procedure that pulls the data for the second contact page, but this somehow seems wrong.
View 4 Replies
Sep 29, 2010
using asp.net 4 and vs 2010 I have a listview that displays data from a database. I have to configure it to display all column data where present, however, not all columns have data, with the result that blank spaces get rendered where this data would normally be displayed.
The code:
[Code]....
So, for example, some of the individuals that exist in this table might no longer be associated with a specific department, institution or have data in the "Address2" column.
View 4 Replies
Dec 7, 2010
I need to access some variables in a page in web application. The scope of variables is just in that specific page.
which one is the solution ? Session or ViewState ? or any better solution ?
Private Property UserId() As Integer
Get
If Not ViewState("UserId") Is Nothing Then[code]....
And also Is ViewState custom per user?
View 1 Replies
Jan 24, 2011
I have a multiple database operation, Have three tables (MSsql) and need to delete one row in each table in one operation, one after another. (Three functions, three rows of code). Everything is working as it should be, recently I was advised to use a transaction scope, which should guarantee the safety of deletion from all 3 tables together.
Here is my new code:
[Code]....
Locally all worked just fine, the transaction scope worked well, but when I have uploaded my application to my hosting server, I got an error of: The partner transaction manager has disabled its support for remote/network transactions. (Exception from HRESULT: 0x8004D025).I talked with the host support, they tried to do something, then I got this error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
After a 2 days, They have contacted me, they said it is not possible to disable some restriction, that will allow an access to this operation, because I'm using shared hosting, and I need to upgrade my plan to VPS. VPS is a very expensive for me, and I can't afford it, What I'm looking is a some similar way of doing the same operation as transaction scope do, that may work at my hosting, At least I would like to try something else. Is there any additional way for the transaction scope?
View 1 Replies
Feb 14, 2011
I have an ASP.NET app that logs Audit reports using nHibernate's IPreUpdateListener. In order to set the current user in the Listener events, I was using System.Security.Principal.WindowsIdentity.GetCurrent(). This works fine when debugging on my machine, but when I move it to the staging server, I'm getting the ASP.NET process credentials, not the requesting user.
In the ASP.NET page, I can use Request.LogonUserIdentity (which works fine since I'm using integrated authentication), but how do I reference this user directly without having to pass it directly to my event? I don't want to have to pass this info through the pipeline because it really doesn't belong in the intermediate events/calls.
View 1 Replies
Feb 24, 2011
Quick question: Is there a "per-user" data storage object (similar to Session) that I can store data in the global scope (similar to HttpRuntime.Cache)? Almost as if Session and HttpRuntime.Cache had a baby.
Full Background: I have a ASP.NET website that was originally written for a single thread. Now I changed it so that certain actions will spawn a background thread and the browser polls a service to get status updates.
The problem I am having with this is that certain pieces of data are stored into the HttpContext.Session[] object (membership authentication token, for example). These pieces of data need to be unique to each user and accessible to the background thread. Session is not available to the background thread.
I am aware of HttpRuntime.Cache but that would require micromanagement to segment out the users and to expire it at the same time the session is expired. Session, on the other hand, automatically expires this things at the right times that I want it too and is already used by things like the SqlMembershipProvider.
My question is, is there something that behaves similar to the Session but exists in the global scope?
View 3 Replies
Feb 28, 2011
I want to declare a variable in such a way that I can access that particular variable and its value in all the asp pages in the project. Can anyone tell me how to declare a variable in C# such that it has project-wide scope?
View 8 Replies
Oct 25, 2010
Trying to troubleshoot a questionable plugin a client is experiencing issues with in production, and one possible issue I see is the fact that they're sending SMTP synchronously from within our heavily-transacted C# web application. In the past I believe I've read or been told that sending SMTP synchronously from within a transaction is a precarious bet, but I can't seem to find anything to back it up that I can present to the client's dev team.
View 1 Replies
Feb 15, 2011
First of all, I am creating a something like a client/server solution using a standard ASP.NET website - I do know this method is not adviced, and most people would love to scream "COMET!" or "HTML5 Sockets!" - but please don't ;-) !
What I am doing...
I am creating an MMORPG on a website.
I have several clients whom need to be in contact at the same time. This is done by a global object in the Application scope.
My problem
I need to invoke an event to several clients. For instance, when an attack has been performed, I need to update some graphics. The attack logic is resolved in the global object, but each of the clients has to respond to this.
Right now I do the following:
fightTrace.Reciever.InvokeMoveEnded(this);
fightTrace.FiredBy.InvokeMoveEnded(this);
(This is a kind of observer pattern)
What now happends is a race condition. The one who loads the page_load event will get both of these events, and the one who is not running them, will experience no changes in the UI.
So what is it I really want?
What I really need is some genuine and nice way to create an observer pattern through the application state. I need to send an event out to every "listener" which is in this case is a client, and then do some update.
View 1 Replies
Sep 30, 2010
I always got the error below when i load my report.i cannot get it since i have already added the field on my data set.{"The Value expression for the textbox ‘textbox22’ refers to the field ‘isTransfer’. Report item expressions can only refer to fields within the current data set scope or, if inside an aggregate, the specified data set scope."}
View 7 Replies
Jun 16, 2010
I want to initiate a class for each user at the start of the user's session so that a single class can be used throughout the user's session. I checked out this post but I'm not sure where I should be placing this Sessionhandler class. Inside global.asax? How do I go about accomplishing this?
View 2 Replies
Jul 22, 2010
just reading about using transaction scrope, previously I am used to making transactions inside a single DB class like
try
{
con.Open();
tran = con.BeginTransaction();[code]...
Which one is the recommended coding practice and why ? Is using a Transaction Scope safe ? Is it the latest way to do things ? I am confused about both methods.
View 1 Replies
Mar 3, 2010
I am looking for differences between those 3 ways of using static class in asp.net application scope.
Will all of these point to the same class?
Which one is preferable >object< defined declaratively inside global.asax or static class ?
examples:
<object runat="server" scope="application" class="classname" ID="objID"></object>
VS
public static class classname {}
VS
Application("a") = new classname();
View 1 Replies
Feb 14, 2010
I have an SQL Server table named "Fields" with an autoincrement identity column "FieldID" as the primary key, an nchar column "Phrase" that textbox entries are to be stored in from a web page, and another column that is defaulted to null. The following is the recommended example on how to use Scope_Identity() to get a newly inserted table row identity value:
//C#
string query = "Insert Into Categories (CategoryName) Values (@CategoryName);" +
"Select Scope_Identity()";
int ID;
string connect = @"Server=.SQLExpress;AttachDbFilename=|DataDirectory|Northwind.mdf;" +
"Database=Northwind;Trusted_Connection=Yes;";
using (SqlConnection conn = new SqlConnection(connect))
{
using (SqlCommand cmd = new SqlCommand(query, conn))
{
cmd.Parameters.AddWithValue("@CategoryName", Category.Text);
conn.Open();
ID = (int)cmd.ExecuteScalar();
}
}
Obviously, this example uses a Categories Table in a Northwind database, which I do not have. So I am confused by how to adapt this example for my application. The following is my data context:
DataClassesDataContext db = new DataClassesDataContext();
Could you explain how I can adapt the example for my "Fields" table in my "EFMDB" database?
View 13 Replies
Jan 25, 2010
want to make sure I am not assuming something foolish here, when implementing the singleton pattern in an ASP .Net web application the static variable scope is only for the current user session, right? If a second user is accessing the site it is a different memory scope...?
View 4 Replies
Mar 7, 2011
We're using ASP.NET and IIS 6.0. I realise that the definitions of applications, websites and virtual directories are ill-defined in IIS 6, and changed a lot in IIS 7. However, I'm stuck with IIS 6.0 for now.
We have a single web site defined in IIS, and a number of separate sub-sites in Virtual Directories.
The scheme looks like this:-
[URL]
[URL]
site1, site2, ... are virtual directories in IIS 6.0, under the "Default Web Site".
I need to use ASP.NET sessions and forms authentication in most of these sites, and I don't want them to share authentication data or session information at all.
Both the mechanisms currently depend on cookies. However, the cookies created by default use the same name, and have a path of "/" in the browser, meaning the sites' cookies will clash with each other.
Without changing the default name for each cookie, how can I enforce separation between my sub-sites? Do I need to change the virtual directories for IIS 6 "Applications"? Or is there some way in code to enforce a more limited scope for the cookies?
View 1 Replies
