0

So I have made a Page called AdminPanel.aspx which I am trying to protect in a way that Only A Specific Usergroup can access it .

My user Table in SQL has a Column for the Usergroup Where Normal users Usergroup = 1 and Admins usergroup = 2 , that is how the users are categorized.

I can setup the page, but i have no idea how i can protect it from a specific Usergroup # From Accessing it , And as a matter of fact how do i prevent Not logged in users from accessing it?

Once a user does login , I have made sure a session is created .

Im using a 3 Layer Architecture as follows :

Entity Layer , Business Layer and Data Access Layer ,

The Login Function i've done so far is as follows : 

string mail = Request["EmailAddress"].ToString();
            string password = Request["PassWord"].ToString();
                User newuser = new User(mail, password);


                if (UserBClass.verifyUser(newuser))
                {
                    newuser = UserBClass.login(newuser);

                    Session["User_Session"] = newuser;
                    var my = (User)Session["User_Session"];

                    if (my.Usergroup == "1")
                    {
                        Page.ClientScript.RegisterStartupScript(this.GetType(), "redirect member",
                                                        "alert('You Are Now Successfully Logged In!'); location.href='Default.aspx';",
                                                        true);
                    }
                    else if (my.Usergroup == "2")
                    {
                        Page.ClientScript.RegisterStartupScript(this.GetType(), "redirect administrator",
                                                         "alert('Welcome Admin!'); location.href='AdminPanel.aspx';",
                                                         true);
                    }

                }
                else {

                   Page.ClientScript.RegisterStartupScript(this.GetType(), "redirect wrong credentials",
                 "alert('Incorrect Username Or Password'); location.href='Login.aspx';",
                 true);

                }
            }

I check the Usergroup using a if condition to differentiate from the type of user(Normal , Admin .. etc) ..

Any Ideas?

Andrew Jones
  • 11
  • 4
  • In MVC you can do it using Authorize attribute for the specific controller action, in webforms you can try and search for equivalents of this functionality, e.g.: [link](http://stackoverflow.com/questions/4217576/is-there-an-authorizeattribute-equivalent-to-just-standard-web-forms-not-mvc-f), [link](http://stackoverflow.com/questions/10703719/mixing-asp-net-webforms-and-mvc-authorization). – Dano Jan 07 '16 at 09:28
  • How do you access admin page through a menu link ? – mck Jan 07 '16 at 09:40

3 Answers3

0

Once you have authenticated the user, make sure that the user's role is set correctly, according to Usergrour viz. admin for 2 or normalUser for 1 for example. Then in your web.config file, use the following configuration to allow your AdminPanel.aspx page accessible only to admin user.

  <location path="AdminPanel.aspx">
    <system.web>
      <authorization>
        <allow roles="admin"/>
      </authorization>
    </system.web>
  </location>

I have used FormsAuthenticationTicket with forms authentication to identify users. So after authentication you may create this ticket, and assign the specific role while creating it. Following links might help you with FormsAuthenticationTicket -

http://csharpdotnetfreak.blogspot.com/2009/02/formsauthentication-ticket-roles-aspnet.html

http://www.codeproject.com/Articles/6773/Form-Authentication-Tickets

Yogi
  • 9,174
  • 2
  • 46
  • 61
  • I get the web.config and i Do authenticate the user , But how do you set "roles" , because the way i differentiate the users are via the usergroup column , where the admin will be of usergroup "2". – Andrew Jones Jan 07 '16 at 09:34
  • @AndrewJones - Updated my answer, assuming using `FormsAuthenticationTicket` for authentication. If you are authentication session from some different methodology, please edit your question with respective code. – Yogi Jan 07 '16 at 09:44
  • I have updated the question with the code, I am trying to retrieve the usergroup for the seperate pages such as AdminPanel.aspx to prevent other usergroups .. from accessing it ... – Andrew Jones Jan 07 '16 at 10:00
  • @AndrewJones Thanks for your your update. It is not the proper way of using authentication in web application, ideally you should create authentication cookie, after you validate the user, and for all subsequent requests that cookie will be used to identify the user. Request you to please follow this link and change your approach a bit - http://csharpdotnetfreak.blogspot.com/2009/02/formsauthentication-ticket-roles-aspnet.html – Yogi Jan 07 '16 at 10:17
  • Thanks for the link , its really helpful , But i do not understand how "roles" work , How do i define them? – Andrew Jones Jan 07 '16 at 10:31
0

You can prevent logged in users from accessing admin page in different ways, from web.config or from code behind.For example

   if (!Usergroup.equals("2"))
   {
        Response.Redirect("somepage.aspx");
   }

For not logged in users you can check session in master page for example, 

 if (Convert.ToString(Session["LoginId"]) == "")
 {
       Response.Redirect("somepage.aspx");
 }
mck
  • 978
  • 3
  • 14
  • 38
  • yes , that is how im trying to do it , But I am unable to retrieve the Usergroup from that specific users session for seperate pages ..That is the problem , I've updated my code. – Andrew Jones Jan 07 '16 at 10:00
0

Create a table which contains the list of forms Create another table for User Roles

then in mapping or junction table create UserRole to Form Mapping. you can use Repeater control to display menu after logged in page

D. Jayesh
  • 17
  • 1
  • 4