When using dynamic data is there a way to only allow users to see records that contain their name/id #. Meaning that when they filter the data only their information shows up rather than every users.
Asked
Active
Viewed 203 times
1 Answers
1
As to security implementing in Dynamic Data I would like to recommend you a great book ASP.NET Dynamic Data Unleashed by Oleg Sych.
As to your case, as i understood you need to display in GridView on List.aspx page only records that contain id or name of current logged user.
Let us consider the easiest way of solving your problem keeping Dynamic Data approach.
Let us assume, without taking into account of how the user get access to your Dynamic Data site, we have got user Id in code behind of List.aspx. For simplicity, assume that the our table contains user Id's.
List.aspx.cs (partially)
public partial class List : System.Web.UI.Page
{
protected int userId;
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
userId = GetLoggedUser();
}
}
}
Then we should use special nonvisual control QueryExtender and using the TargetControlID property we associate it with our LINQ-based data source control (assume we have EntityDataSource in this case).
List.aspx (partially)
<asp:GridView
ID="gvTest"
runat="server"
DataSourceID="DetailsDataSourceTest"
AllowPaging="true"
AllowSorting="false"
PageSize="10"
CssClass="gridview"
AutoGenerateColumns="false">
<Columns>
<asp:DynamicField DataField="UserId" />
<asp:DynamicField DataField="Col1" />
<asp:DynamicField DataField="Col2" />
<asp:DynamicField DataField="Col3" />
</Columns>
</asp:GridView>
<asp:EntityDataSource
ID="DetailsDataSourceTest"
runat="server"
ConnectionString="name=TestEntities"
DefaultContainerName="TestEntities"
EnableFlattening="false"
EntitySetName="TableTestName" />
<asp:QueryExtender
ID="QueryExtenderTest"
runat="server"
TargetControlID="DetailsDataSourceTest">
<asp:CustomExpression OnQuerying="QueryExtenderTest_Querying" />
</asp:QueryExtender>
As you can see we use CustomExpression option of QueryExtender control and then we set its OnQuerying attribute to QueryExtenderTest_Querying. This will allow us to execute our custom LINQ query.
List.aspx.cs (partially)
protected void QueryExtenderTest_Querying(object sender, System.Web.UI.WebControls.Expressions.CustomExpressionEventArgs e)
{
if (/* check userId if you would like */)
{
e.Query = (from c in e.Query.Cast<TableTestName>()
where (c.UserId == userId)
select c);
}
}
For more information:
Walkthrough: Filtering Data in a Web Page Using Declarative Syntax
EDIT:
Based on it simple solution and depending on implementing Routing in your Dynamic Data site you should use custom LINQ on Details.aspx page and Edit.aspx page in order to user could not access to not own record via query string.
Konstantin
- 796
- 1
- 11
- 32