There are two users;
admin with systemAdmin role and not powerUser role
powerUser with powerUser role and not systemAdmin role
I have the following config in Web.config file located in Project\SystemAdmin directory:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!--Test Result: admin can access, powerUser is denied-->
<location path="TestPowerUser.aspx">
<system.web>
<authorization>
<allow roles="powerUser"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--Test Result: admin can access, powerUser is denied-->
<location path="TestPowerUserDisallowSysAdmin.aspx">
<system.web>
<authorization>
<allow roles="powerUser"/>
<deny roles="systemAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--Test Result: admin is denied, powerUser is denied-->
<location path="TestDisallowAll.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--Test Result: admin can access, powerUser is denied for all other pages in directory-->
<system.web>
<authorization>
<allow roles="systemAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
When testing with admin user with systemAdmin role;
TestPowerUser.aspx can be viewed (expected)
TestPowerUserDisallowSysAdmin.aspx can be viewed (unexpected)
TestDisallowAll.aspx cannot be viewed (expected)
All other pages within directory can be viewed (expected)
When testing with powerUser user with powerUser role;
TestPowerUser.aspx cannot be viewed (unexpected)
TestPowerUserDisallowSysAdmin.aspx cannot be viewed (unexpected)
TestDisallowAll.aspx cannot be viewed (expected)
All other pages within directory cannot be viewed (expected)
What can I be doing wrong? I am new to asp.net development and will update with any other required details that may be asked.
EDIT: I tried the below answered question, still not working as expected.
ASP.NET Forms Auth Allowing access to specific file in subdirectory when all others should be denied
