0

I want to restrict access to a particular url unless the user is a member of 2 different roles. In this case I only want to grant access to this url if the user is in both the Reporting AND Archiving role. Is there a way to do this in ASP.net?

<location path="testpage.aspx">
<system.web>
  <authorization>
    <allow roles="Reporting, Archiving"/>
    <deny users="*"/>
  </authorization>
</system.web>

I want something like this:

<location path="testpage.aspx">
<system.web>
  <authorization>
    <allow roles="Reporting & Archiving"/>
    <deny users="*"/>
  </authorization>
</system.web>

Jfetner
  • 55
  • 6
  • 1
    Can it possibly be another role that MEANS report & archive? I can't recall the default implementation of .net has function like you requesting, unless you do your own role implementation. – xandy Jul 23 '09 at 15:43
  • You should post that as an answer, xandy. – Greg Jul 23 '09 at 15:45
  • Yes I can create another role that would encompass both reporting and archiving, but i was trying to avoid that b/c I would have to update existing users to add that role to their profile. I was hoping there was a simple way to do it in the web.config. – Jfetner Jul 23 '09 at 15:46
  • No you shouldn't, because the roles are an 'any' not an 'all'. Any role in the list is granted access, not just those with all. – Adam Sills Jul 23 '09 at 15:47
  • (Note my comment was to Greg; it got a bit out of sequence) – Adam Sills Jul 23 '09 at 15:48
  • No, there's no way to do this without added a new role to the users or writing some code. – Greg Jul 23 '09 at 16:02

3 Answers3

1

It's kind of ugly, but you can inherit from the role provider you're currently using (SqlRoleProvider, WindowsTokenRoleProvider, AuthorizationStoreRoleProvider), override GetRolesForUser, call the base implementation to get the roles, and combine them as necessary there. Then obviously put your custom role provider in your web.config in the <roleManager> configuration section.

You'd only need to override the one method (and maybe GetUsersInRole) and combine them as necessary.

public override string[] GetRolesForUser( string username ) {
    List<string> roles = new List<string>( base.GetRolesForUser(username) );
    if( roles.Contains("Reporting") && roles.Contains("Archiving") ) {
        roles.Add("ReportingAndArchiving");
    }
    return roles.ToArray();
}
Adam Sills
  • 16,896
  • 6
  • 51
  • 56
0

You could create a SQL function which, given a particular user ID, page URL, and list of allowed roles (XML), returns a bit indicating whether access is granted to that URL, and subsequently use that to set a flag which would determine whether to show that as a valid choice in a javascript or DHTML menu or whatever.

Darth Continent
  • 2,319
  • 3
  • 25
  • 41
0

You can implement custom Role Provider. Then you can define new "fake" role ReportingAndArchiving and check if the user belongs to Reporting and Archiving role inside the IsUserInRole method when ReportingAndArchiving role is requested.