locked
Folder Level Access Before User Logs In RRS feed

  • Question

  • User325035487 posted

    I have this code in the _PageStart File in each folder

        //Module Access
        string current = Request.Url.AbsolutePath.TrimStart('/');
        var foldername = current.Split('/').First().ToLower();
        bool modaccess = false;
        string modules = "";
        if (Session["modules"] != null)
        {
            modules = (string)Session["modules"]; //a simple string like "Admin,CMMS,Education" ...
            if (modules.ToLower().Contains(foldername))
            {
                modaccess = true;
            }
        }
        if (!modaccess)
        {
            Response.Redirect("~/AccessDenied?returnUrl=/" + current, false);
        }
        else if (!Roles.IsUserInRole(WebSecurity.CurrentUserName, "Admin"))
        {
            Response.Redirect("~/AccessDenied", false);
        }
    

    As you can see I am setting by default module access to false and redirecting them to Access denied page which lets them go to log in page and back again. At this point I am checking their role before granting access. This is required as I have multiple sites which don't get access to all modules.

    I have the PageStart in my folder "Admin"

    The problem is when I try a url like http://mysite/Admin/Backup.cshtml the backup is running first before the user gets redirected. I was under the impression that pagestart gets executed first no matter what. So I tried adding     WebSecurity.RequireAuthenticatedUser(); to the top of the pagestart file. It complicated things further by trying to redirect to

    http://mysite/Account/Login

    But my login page is http://mysite/default.cshtml

    Any help is deeply appreciated.

    Monday, October 19, 2015 3:51 AM

All replies

  • User1313602441 posted
    Websecurity in asp.net assumes that all of such admin configurations are places in ~/Account/ folder.
    That's why when you added the RequireAuthenticatedUser() it gets redirected there. And if it can't find the folder and the file it displays a 404.
    But if you want to change it you can do so in the web.config file.
    I am not really familiar with the method you're using to restrict folder access and user roles. I actually think this method of yours is a bit to complex for this simple task, especially since you're using the Websecurity helper.
    I think the best way to do this is to use the Websecurity.IsAuthenticated property to check if the user is logged in, and if he is, use the RequireRoles() method to check if the user is in the specified role.
    I'll update this response with code in a giffy.
    Friday, January 15, 2016 10:20 AM
  • User325035487 posted

    Require roles user require user to be added to a role. I have about 4000 users spread over a WAN corporate intranet from five branches. I have to restrict access to folders (which i call modules in the above code) to each branch..

    Friday, January 15, 2016 2:13 PM
  • User-821857111 posted

    It complicated things further by trying to redirect to

    http://mysite/Account/Login

    But my login page is http://mysite/default.cshtml

    Account/login is the default path for the WebSecurity helper. You can change that in your web.config:

    <authentication mode="forms">
        <forms loginUrl="/default.cshtml" />
    </authentication>

    The code in the PageStart file should get executed before the requested page is, so perhaps your PageStart logic has a flaw in it. You can explicitly execute the requested page in your pagestart file by calling the RunPage() method. Perhaps you should reorganise the logic using that:

    if(all conditions are satisfied)
    {
        RunPage();
    }
    else
    {
        Response.Redirect(...);
    }

        

    Wednesday, January 20, 2016 8:29 AM
  • User325035487 posted
        <authentication mode="Forms">
          <forms loginUrl="~/Default.cshtml" slidingExpiration="true" timeout="60" />
        </authentication>

    That is my code now. is the ~/ causing the problem?.

    I changed that by removing the ~ . Still I am getting like this when i try to browse to Admin/Backup

    As you can see. The requireauthenitcated user method rediects to /Account/Login. To fix the problem my Account/Login.cshtml just redirects to /Default.cshtml with the returnurl as a parameter.

    Thursday, January 21, 2016 3:27 PM