0

I am not quite sure if I am managing the user roles appropriately in an ASP.NET application. Is such an approach is correct, or incorrect or can be improved?

All the user's are added to the users table in the database, which have fields for example: (userid, name, surname, isAdmin)

In my application, I get the user id using 

Request.Servervariables.Get("LOGON_USER")

and while rendering a page, I run an SQL Query to check if the current user on that page, has 'isAdmin' parameter ='true' in my SQL Server. Then if yes, I render and make the appropriate controls visible. (For example, a link button to the Administrator page)

HOY
  • 1,067
  • 10
  • 42
  • 85

2 Answers2

1

That is not a correct way of doing this. You should use asp.net roleprovider that can easily integrate with membership provider. it makes it easy to trim down page controls/access and role provider is very extendable and scaleable. your approach is very strict and might face problems if application grows.

Shoaib Shaikh
  • 4,565
  • 1
  • 27
  • 35
1

The ASP.Net role provider (which if you don't like, you can roll your own to do basically the same thing but conform to your requirements) is really useful for this. Instead of putting an SQL query at the top of every page (which would be a nightmare later if something had to change), you can say (paraphrasing here)

if (RoleProvider.IsUserInRole(Request.Servervariables.Get("LOGON_USER"), "Admin") == true)
{
   //populate page as admin
}
else
{
   //populate page as not admin
}
CptSupermrkt
  • 6,844
  • 12
  • 56
  • 87