C# - Handling User Security Scope With NHibernate Or Other ORM?
Jun 5, 2010
How should one handle the situation where you may need to filter by a group of users.
Here is the scenario.
I have an administrator role in my company. I should be able to see all the data belonging to me plus all the other users who I have control over.
A plain old user however should only be able to access their own data.
If you are writing regular sql statements then you can have a security table with every user and who they have access too but i'm not sure how to handle this situation in the OO and ORM world.
Any one dealt with this scenario in a web application using an ORM?
View 1 Replies
Similar Messages:
Apr 6, 2010
I want to use Context.Items to store some info of a User Control like:
Context.Items["Data"] = 5;
I want to know, Is Context.Items is for each request or it is global for the application?
View 1 Replies
May 17, 2010
In this case I have a system where a user logs in, they get a dashboard and they can see all their related projects. The user can click on the project and open it. (ie /View/79) The problem the user can also just type /View/68 which they are not supposed to be able to view.
Obviously I am aware of how to filter my data, but this application has many many lists of data and it all needs to be scoped to data that user has been allowed to see. I can insert a plethora of joins and wheres in all my queries but.. it's a lot of work and a bit convoluted.So I was wondering what strategies other had used for filtering data based on the user scope.One approach I was thinking of was to extend my user-role-permission model so "permissions" could be assigned to various entitites (like projects). This way, rather than doing a series of joins etc to see confirm a user has been assigned to a project, my join is just onto the EntityPermission table to confirm the user has PermissionX (like: CanView) on that entity. I could either maintain a seperate M2M table for each entity i need to restrict or something a bit more general (but without referential integrity).
View 3 Replies
Feb 14, 2011
I have an ASP.NET app that logs Audit reports using nHibernate's IPreUpdateListener. In order to set the current user in the Listener events, I was using System.Security.Principal.WindowsIdentity.GetCurrent(). This works fine when debugging on my machine, but when I move it to the staging server, I'm getting the ASP.NET process credentials, not the requesting user.
In the ASP.NET page, I can use Request.LogonUserIdentity (which works fine since I'm using integrated authentication), but how do I reference this user directly without having to pass it directly to my event? I don't want to have to pass this info through the pipeline because it really doesn't belong in the intermediate events/calls.
View 1 Replies
Jun 16, 2010
I want to initiate a class for each user at the start of the user's session so that a single class can be used throughout the user's session. I checked out this post but I'm not sure where I should be placing this Sessionhandler class. Inside global.asax? How do I go about accomplishing this?
View 2 Replies
Apr 11, 2010
I've upgraded an ASP.Net Web application to the latest build of Fluent NHibernate (1.0.0.636) and the newest version of NHibernate (v2.1.2.4000). I've checked a couple of times that the application is running in Full trust. But I keep getting the following error:
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityException: Request for the permission of type 'System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
System.Security.CodeAccessPermission.Demand() +54
System.Reflection.Emit.DynamicMethod.PerformSecurityCheck(Type owner, StackCrawlMark& stackMark, Boolean skipVisibility) +269
System.Reflection.Emit.DynamicMethod..ctor(String name, Type returnType, Type[] parameterTypes, Type owner, Boolean skipVisibility) +81
NHibernate.Bytecode.Lightweight.ReflectionOptimizer.CreateDynamicMethod(Type returnType, Type[] argumentTypes) +165
NHibernate.Bytecode.Lightweight.ReflectionOptimizer.GenerateGetPropertyValuesMethod(IGetter[] getters) +383
NHibernate.Bytecode.Lightweight.ReflectionOptimizer..ctor(Type mappedType, IGetter[] getters, ISetter[] setters) +108
NHibernate.Bytecode.Lightweight.BytecodeProviderImpl.GetReflectionOptimizer(Type mappedClass, IGetter[] getters, ISetter[] setters) +52
NHibernate.Tuple.Component.PocoComponentTuplizer..ctor(Component component) +231
NHibernate.Tuple.Component.ComponentEntityModeToTuplizerMapping..ctor(Component component) +420
NHibernate.Tuple.Component.ComponentMetamodel..ctor(Component component) +402
NHibernate.Mapping.Component.BuildType() +38
NHibernate.Mapping.Component.get_Type() +32
NHibernate.Mapping.SimpleValue.IsValid(IMapping mapping) +39
NHibernate.Mapping.RootClass.Validate(IMapping mapping) +61
NHibernate.Cfg.Configuration.ValidateEntities() +220
NHibernate.Cfg.Configuration.Validate() +16
NHibernate.Cfg.Configuration.BuildSessionFactory() +39
FluentNHibernate.Cfg.FluentConfiguration.BuildSessionFactory() in d:BuildsFluentNHsrcFluentNHibernateCfgFluentConfiguration.cs:93
Anyone had a similar error? I've seach the web / stackoverflow / NHibernate forums but only found people who had a problem when running in medium trust mode, not full trust. I've been developing for several months on this application on this machine with previous versions of Fluent NHibernate and NHibernate.
The machine I'm running this on is 64-bit, you never know that this is relevant.
View 1 Replies
Jul 29, 2010
I've been reading around the web about different alternatives to keeping track of users but I can't seem to find the "perfect" solution for my situation.
The app will (hopefully) be high-volume so I'd like to design with scalability in mind. It might be necessary to host the site using several web-servers so session mode InProc won't work, right? It's kept in memory of the current web-server and since the user might jump from web-server to web-server I can't be sure the session will be kept connected to the user.
Do I need to make a custom membership and role provider that works with mySQL to be able to use the .NETs standard user handling systems (like FormsAuthentication that can handle session stuff from what I've understood)?
View 1 Replies
Apr 23, 2010
In a CreateUserWizard there are 2 dropdownlist to set the country and city of a new user. Where and how can those dropdownlists be assigned datasources from datareader, refreshed and accessed in codebehind for interaction between country and city? I tried but keep getting errors saying control not found. Is it impossible to do codebehind events with CreateUserWizard?
View 3 Replies
Sep 8, 2010
I have locked a set of administration pages on a website using the PrincipalPermission syntax ie:
<PrincipalPermission(SecurityAction.Demand, Role:=RoleBLL.ROLE_NAME_ADMINISTRATOR)>
View 3 Replies
Jun 5, 2010
i have some problem with my userControl. Pls look below for better understanding. Pic1. The default page. When i click on the links on the left, userControl will load into the placeHolder as in pic2. But when i click on the Clear button that is inside the userControl, instead of clearing the text in the textbox, it load back to the default page show in pic1. Can anyone pls advise me what went wrong?
View 9 Replies
Sep 27, 2010
I am using the standard createuser wizard (but got same issue with other wizard) and in the CreatedUser event an exception is raised causing the wizard not to reach the next step. If no exception are raised the wizard behave as expected. I have tried to force the wizard to move to the next step using CreateNewMember.MoveTo(this.CompleteWizardStep1); as an exemple but still the web page is in waiting stage for about 5 to 10 mins before it finally reach the final step. I have tried to deal with the exception in the routine it occured or throw it back to the CreatedUser event and deal with it there but nothing changes as of to the move to the next step in the wizard.
View 16 Replies
May 13, 2010
I have 3 seperate applications (under the same domain) for which I use Forms authentication with single sign-on.
The 3 applications have different session timeout periods. I was on various articles that when we use forms authentication and specify the loginurl in the <Forms> tag in the web.config, it should automatically get redirected to the login page, when the session timesout. But in my case, it doesn't happen, I think because of different timeout values.
View 6 Replies
Aug 27, 2010
Currently i have membership and roles setup on my site. Now what is my next step to get more specific control.
Based on what i hav now, i have my pages setup so they are visible or not and links not visible and so on. But now on a more detailed level, say im setup as a user. As a user my default permissions is just to view data.. no editing. But say someone was let go, now instead of granting me full access to everything, i need to be able to go in and provide more permissions to the account.
Example:
Admins:
Add Users
Modify Users
Delete Users
Users:
View Users Detail (only the person that is logged in)
Since the the user that was let go was an admin. They had all the other options, but as a temporary thing, we need to be able to add say permission "Add Users" to the individual user account.
To accomplish this type of control, what do i need to look at to accomplish such a setup?
View 3 Replies
Jan 28, 2011
I have a User Control which consists of a TextBox with a few extras, but for purposes of this example just assuming it's a plain TextBox will be sufficient. I am calling this User Control from a Web Form and would like to be able to use a RequiredFieldValidator that basically would function the same as if I used it on a TextBox on the web form. How do I configure my User Control to handle this?
EDIT:
DatePicker.ascx
<asp:TextBox runat="server" ID="myControlTB">
DatePicker.ascx.cs
[ValidationProperty("Text")]
public partial class DatePicker : System.Web.UI.UserControl
[code]...
View 2 Replies
Mar 15, 2011
I have a user control which I am dynamically loading in my page_load event via a method (see below). The user control contains a gridview and a label. A key piece of information has to do with how to get around the convenient feature of gridviews not rendering when their datasource is empty. In my user control I add some hidden rows so that the grids will render and the user can see just the headers (if the situation calls for it).
The nomControl is an asp:Panel on the parent page which will hold the user controls. The dsRefinedProductsNomInfo is a strongly typed dataset.
[code]....
how I should be handling my events so that my rendered grid is up to date and not showing these hidden rows. I have a feeling I am just doing things in the wrong place/order but this is my first real swim in the deep end of the asp.net pool.
View 1 Replies
Apr 2, 2010
I am part of a team that is developing a SharePoint web part. My task is to create a user control which will ultimately be wrapped in another class for presentation in a web part. Because of these requirements, I must fit all of my code in a single user control.To organize my code in the code-behind, I created a few private classes for the different objects which are represented in the database. I want to add some exception handling whereby if some sort of DB exception is thrown I can update a message on the page informing the user of the problem.
My problem is that the page-level controls are inaccessible from the private class where I'm issuing the query, so even if I catch the exception I have no way of directly accessing a Label control to populate the error. I tried to create a baseclass with an EventHandler defined, but when I throw events from the private class I'm not able to catch them for whatever reason. I'm far from an OOP expert Here is a snippet:
ASP Code:
using System;
using System.Collections;
[code]....
View 3 Replies
Apr 26, 2010
I have a user control say SearchVendor.ascx which contains 4 buttons a gridview and another user control. I need to load the control dynamically actually as a modal pop up
I get this code
var uc = Page.LoadControl("~/blah/VendorProductSearch.ascx") as VPSearch;
uc.ShowVPSearch(true);
_tempPlaceHolder.Controls.Add(uc);
it works fine the control gets loaded properly but onclick of any button the second time the control disappears ?
I want the dynamically added control to remain until the user clicks on the cancel button
View 2 Replies
Jun 25, 2010
I've got a .aspx page which loads a user control using the LoadControl(string virtualPath) method. The loaded control contains references to several other user controls (i will call "modules"). If such a module contains an unhandled coding error which isn't catched at compile time (e.g. division by zero), no helpful error is thrown. The .aspx page just gets an error from the LoadControl method that the control to load cannot be found (404), but in fact it contains a faulty module.
Is it possible to get the error of the module from within the .aspx page for better troubleshooting? Can I get information about, that (in this example) there is a division by zero error in module (nested user control) xy?
View 6 Replies
Jun 11, 2010
I have quite a number of user controls that I need to embed in Umbraco macros. Each user control has quite a bit of in page javascript that needs loaded into the page.
I have been building up the javascript with StringBuilder.Appendline then registering a startup script with code behind but this stinks and I feel there has to be a better way of going about this.
View 1 Replies
Apr 20, 2010
I want to save widths of all my gridview columns in cookies on unloading the page.
how to handle page unload event from a user control, as my gridview is in a user control?
View 7 Replies
Jun 26, 2010
i am working in asp.net and csharp, we have 10 user, but certain user only need to put dataentry. how to enable and disable based on the user to access certain form ,like add, modify view options.
View 1 Replies
Jul 29, 2010
I have a custom ascx user control on my page that includes a dropdownlist. There is an onSelectedIndexChanged event handler that is connected to this dropdownlist. The first time the user selects a value, the page does a postback and the logic executes correctly. However, if the user then goes to change their selection, the event handler does not get triggered.
View 3 Replies
Jul 12, 2010
I'm using DotNetOpenAuth as my membership system, and the way I have it working now seems to be working quite well. What I'd like to do however is build into my website the ability to check user credentials against the AuthCookie rather than a session. In the membership provider, I can check for the username like this
string UserName = System.Web.HttpContext.Current.User.Identity.Name;
''# which returns the OpenId ClaimedIdentifier
What I'm wondering is if there is a way to extend this so that I can retrieve custom properties from the AuthCookie rather than having to create my own session object. Currently I have this setup.
UserSessionModal
Namespace Domain
Public Class UserSessionModel
Public Property ID As Integer
Public Property RegionID As Integer
Public Property Username As String
Public Property Slug As String
Public Sub New(ByVal user As User)
_ID = user.ID
_RegionID = user.RegionID
_Username = user.UserName
_Slug = Replace(user.UserName, " ", "-")
End Sub
End Class
End Namespace
BaseController (inherited by all controllers)
Protected Overrides Function CreateActionInvoker() As System.Web.Mvc.IActionInvoker
''# Create a UserInfo object for the logged in user
''# and store it in a session state.
If Session("UserInfo") Is Nothing AndAlso User.Identity.IsAuthenticated Then
Dim user As Domain.UserSessionModel = New Domain.UserSessionModel(OpenIdService.GetOpenId(HttpContext.User.Identity.Name).User)
Session("UserInfo") = user
End If
Return MyBase.CreateActionInvoker()
End Function
Then in my views I do something like this
<%
Dim user As MyApp.Core.Domain.UserSessionModel = DirectCast(Session("UserInfo"), MyApp.Core.Domain.UserSessionModel)
%>
<%: Html.ActionLink(user.UserName, "Details", "Users", New With {.id = user.ID, .slug = user.Slug}, Nothing)%>
What I really need to be able to do is remove the Session stuff all together and just simply check the AuthCookie for my custom properties ID, RegionID, Username, and Slug. I can already get the "ClaimedIdentifier" out of the AuthCookie using HttpContext.User.Identity.Name... I just need to be able to extend it.
View 1 Replies
Jan 20, 2011
Our site is expected to allow the user to do whatever they want from a number of different places. Except, that doing whatever they want really means firing off mini sequences of pages they must vist (or possibly abort from to go off to another task) before returning to their starting point. So, at any given time, the user has a list of pages they are allowed to go to, a list of pages they must go to in order to complete their task, and some end point they must eventually return to, all of which are constantly changing.
As an example, a user may choose to edit an order they placed, at which point they must step through a series of pages to edit the order. These pages to edit an order may be different based on the type of order they are editing, and they must return to whatever place they were at when they decided to start editing the order. They may also have certain options of other pages to visit during their order editing process.
I really need a good way to handle this for a large number of different scenarios, and allow it to be easily changed. Right now we are doing things like setting session variables when a user chooses an action and checking them within the page on button handlers to see what they are allowed to do or where they are allowed to go. I'd love to be able to abstract this out into something that can be easily examined in one place, or even data driven, and have some sort of navigation controller pointing them to the pages they can or must go.
View 6 Replies
Aug 23, 2010
On my master page , I have "Search textbox" and "Search Button".On My content page , I have a "User Control" which has a "GridView".It shows some data about Vendors.Also, on this User Control's Page Load, i have code written to display all vendors in GridView.Now, when user enters Vendor Number in "Search textbox" , and hits "Search Button" , i want to handle this event inside my User Control.How to do this ?
View 2 Replies
