Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > asp.net 2.0 menu control shows restricted item

Reply
Thread Tools

asp.net 2.0 menu control shows restricted item

 
 
sparkyborder-softwareengineerorg@yahoo.com
Guest
Posts: n/a
 
      05-10-2006
I've setup the app to disallow the user from clicking to or seeing the
admin functions.

The forced-login works on the click-to-the-restricted-pages, but I can
still see the menu items even when not in the appropriate group.

I have an Administrators role.

web.config restricts both the admin directory and the particular file
in it (redundancy for testing)

<location path="~/admin">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*"/>
</authorization>
</system.web>

</location>
<location path="~/admin/shelters_edit.aspx">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>

The role manager is enabled and forms auth is true:
<roleManager enabled="true"/>
<authentication mode="Forms" />

The sitemap provider is enabled
<siteMap defaultProvider="AspNetXmlSiteMapProvider" enabled="true">

securityTrimmingEnabled is true

<providers>
<remove name="AspNetXmlSiteMapProvider"/>
<add name="AspNetXmlSiteMapProvider"
description="SiteMap provider which reads in .sitemap XML files."
type="System.Web.XmlSiteMapProvider"
securityTrimmingEnabled="true" siteMapFile="Web.sitemap"/>
</providers>
</siteMap>

.... and yet, even when the user is not logged in to the Administrators
group the Edit Shelters menu item is visible:
<siteMapNode url="~/login.aspx" title="Login" description="Login"
roles="*" >


<siteMapNode url="~/admin/shelters_edit.aspx"
title="Edit Shelters"
description="Edit Shelters/Rescues" roles="Administrators" />

</siteMapNode>

 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      05-10-2006
hi,

don't use the ~/ syntax in location elements...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I've setup the app to disallow the user from clicking to or seeing the
> admin functions.
>
> The forced-login works on the click-to-the-restricted-pages, but I can
> still see the menu items even when not in the appropriate group.
>
> I have an Administrators role.
>
> web.config restricts both the admin directory and the particular file
> in it (redundancy for testing)
>
> <location path="~/admin">
> <system.web>
> <authorization>
> <allow roles="Administrators" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="~/admin/shelters_edit.aspx">
> <system.web>
> <authorization>
> <allow roles="Administrators" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
> The role manager is enabled and forms auth is true:
> <roleManager enabled="true"/>
> <authentication mode="Forms" />
> The sitemap provider is enabled
> <siteMap defaultProvider="AspNetXmlSiteMapProvider" enabled="true">
> securityTrimmingEnabled is true
>
> <providers>
> <remove name="AspNetXmlSiteMapProvider"/>
> <add name="AspNetXmlSiteMapProvider"
> description="SiteMap provider which reads in .sitemap XML files."
> type="System.Web.XmlSiteMapProvider"
> securityTrimmingEnabled="true" siteMapFile="Web.sitemap"/>
> </providers>
> </siteMap>
> ... and yet, even when the user is not logged in to the Administrators
> group the Edit Shelters menu item is visible:
> <siteMapNode url="~/login.aspx" title="Login" description="Login"
> roles="*" >
> <siteMapNode url="~/admin/shelters_edit.aspx"
> title="Edit Shelters"
> description="Edit Shelters/Rescues" roles="Administrators" />
> </siteMapNode>
>



 
Reply With Quote
 
 
 
 
urchin@bogartcomputing.com
Guest
Posts: n/a
 
      05-13-2006
Not sure why that's suggested.

The menu lives in the controls directory. When the web.sitemap binds to
it without the ~/ the system attempts to find everything with controls/
as root.

Removing the tilde slash had no effect on the protected menu
visibility.

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      05-13-2006
if you try to access a protected subdirectory - does the authorization element
work?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Not sure why that's suggested.
>
> The menu lives in the controls directory. When the web.sitemap binds
> to it without the ~/ the system attempts to find everything with
> controls/ as root.
>
> Removing the tilde slash had no effect on the protected menu
> visibility.
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IE shows false and Firefox shows true Gianni Javascript 3 07-10-2009 09:18 PM
How do I set selected Menu item in a asp:menu control? goran.strand@gmail.com ASP .Net 0 12-22-2006 08:05 AM
"Shutdown" menu item disapper from START menu......... vik Computer Support 5 08-09-2006 03:14 PM
Session var in page_load shows old value, buttonclick shows new . Whats wrong gce ASP .Net 0 05-07-2005 06:50 AM
How to do bitmap icon in front of menu-items in Java? what is the class for menu-item in Java? gino Java 12 09-01-2004 04:14 PM



Advertisments