0

So I have a log in page and three users all the three users have a primary ID - name, email, username, password and all the data is already entered for this.

  • Patient - folder pages - Information.aspx ordermed.aspx
  • Doctor - folder pages - Patientinfo.aspx Patientsorders.aspx
  • Pharmacy - folder pages -Pharmacyinfo.aspx prescriptionorders.aspx

The patient orders from a range of their medications on the link table (patient ID and Med ID)

the order gets sent through to the doctor who approves or disapproves

and the pharmacy can see the approved orders from the order table.

What I want to do is only allow the doctor/patient/pharmacy to access their pages with corresponding information

I have set a session variable the provides a change to a label that says approved when an approved user logs in:

Imports System.Data.SqlClient
Imports System.Data

Partial Class Pages_Login
Inherits System.Web.UI.Page


Protected Sub btnlogin_Click(sender As Object, e As EventArgs) Handles btnlogin.Click

    Dim patientNo As String
    Dim password As String
    Dim bAuthethicated As Boolean
    patientNo = txtuser.Text
    password = txtpassword.Text
    bAuthethicated = CheckUser(patientNo, password)

    If bAuthethicated Then
        lblresult.Text() = "Login details are correct"

    Else
        lblresult.Text() = "Incorrect Student Number and/or Password"


    End If

End Sub




Public Function CheckUser(patientNo As String, password As String) As Integer
    Dim cmdstring As String = "SELECT * FROM Patient  Where Username=@PATIENTNO AND Password=@PASSWORD"
    Dim found = 0
    Using conn As New SqlConnection("Data Source=(LocalDB)\v11.0;AttachDbFilename=C:\Users\Laura\Final_proj\App_Data\surgerydb.mdf;Integrated Security=True;Connect Timeout=30")

        Dim cmd = New SqlCommand(cmdstring, conn)
        cmd.Parameters.Add("@PATIENTNO", SqlDbType.NChar).Value = patientNo
        cmd.Parameters.Add("@PASSWORD", SqlDbType.NChar).Value = password
        conn.Open()



        Dim reader = cmd.ExecuteReader()

        While reader.Read()
            Session("PatientId") = CInt(reader.Item("PatientId"))
            found = CInt(reader.Item("PatientId"))
        End While

        reader.Close()
    End Using
    Return (found)
End Function

End Class

however I want to restrict the others from seeing the other pages, I a logged in patient to gain access to their own individual Information. Can someone please help I have been trying to get this to work all weekend. Kind regards

Laura

however I want to restrict the others from seeing the other pages, I a logged in patient to gain access to their own individual Information

laurajs
  • 843
  • 1
  • 7
  • 20
  • Possible duplicate of [Restricting certain page functionality or user interface to authenticated users in Asp.Net](http://stackoverflow.com/questions/10186549/restricting-certain-page-functionality-or-user-interface-to-authenticated-users) – Paddy Mar 14 '16 at 15:22
  • that is not my question and they are using c# – laurajs Mar 14 '16 at 15:25
  • C#/VB.net, the underlying mechanism to use is the same. You use Roles to define what pages they can access, but how you restrict access to their own information depends very much on how your data is structured, and is probably too broad for this format. – Paddy Mar 14 '16 at 15:49
  • In essence, you need to have the 'user' linked to their own data in your database and only show them those items they are linked to. – Paddy Mar 14 '16 at 15:49
  • If I could make a small suggestion, given the difficulties you are finding in implementing this and the sensitivity of the information you are dealing with (data loss, or incorrect display of this data in my jurisdiction would be a serious offence), may I suggest doing a little further ASP.net training around authentication prior to proceeding. You really want to get this right. – Paddy Mar 15 '16 at 09:13

1 Answers1

0

You should use a Sitemap.xml file and place it in the root of your site. It would look something like this:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
  <siteMapNode roles="*">
    <siteMapNode title="Home" url="~/default.aspx" roles="*"  description=""/>
    <siteMapNode title="Courses" url="" roles="*" description="">
      <siteMapNode title="Live Virtual Training" url="~/VirtualTraining.aspx"  description=""/>
      <siteMapNode title="Course Catalog" url="~/Catalog.aspx"  description=""/>
      <siteMapNode title="Recorded Courses" url="~/RecordedCourses.aspx"  description=""/>
    </siteMapNode>
    <siteMapNode title="Get MSDN" url="~/msdn.aspx" roles="*" description="" />
    <siteMapNode title="RSS" url="~/RSS/Default.aspx" roles="*" description="">
      <siteMapNode title="MSDN Magazine" url="~/RSS/MsdnMagazineRss.aspx" description=""/>
      <siteMapNode title="MSDN Virtual Labs" url="~/RSS/MsdnVirtualLabs.aspx" description=""/>
      <siteMapNode title="C#" url="~/RSS/CsharpRss.aspx" description=""/>
    </siteMapNode>
    <siteMapNode title="Blog" url="~/wordpress/index.php" roles="*" description="" />
    <siteMapNode title="Trainers Wanted" url="~/Trainers.aspx" roles="*" description=""/>
    <siteMapNode title="About Us" url="~/About.aspx" roles="*" description=""/>
    <siteMapNode title="Contact Us" url="~/Contact.aspx" roles="*" description=""/>
    <siteMapNode title="Student Resources" description="" roles="Administrators, Student">
      <siteMapNode title="Files" url="~/Files/Default.aspx" description="" roles="Administrators, Student" />
      <siteMapNode title="Recordings" url="~/Recordings/Default.aspx" description="" roles="Administrators, Student" />
    </siteMapNode>
    <siteMapNode title="Administrative" description="" roles="Administrators">

    </siteMapNode>
  </siteMapNode>

</siteMap>

Notice that certain paths are marked with the roles= attribute? This allows you to tap into the ASP.NET Membership and Roles database and allow only certain members access to certain areas of your site.

Scott Marcus
  • 64,069
  • 6
  • 49
  • 71
  • can you do this using role manager? this is for already created users on my database – laurajs Mar 14 '16 at 15:29
  • Note that this *only* controls the visibility of these pages in the rendered menu. It does not stop people from browsing directly to these pages. – Paddy Mar 14 '16 at 15:46
  • @ScottMarcus - I think you need to read that again "Site-map security trimming provides a way to hide navigational links in a site map, also based on security roles. " and also "The following code example sets the roles attribute for the Support page to Customers. After enabling security trimming, this setting allows users in the Customers role to view the navigation link to the Support page, even if they are not permitted to view the actual file by URL authorization or file authorization." – Paddy Mar 14 '16 at 15:53
  • I know that it hides the link, but it also prevents access. I've been using it for years. Try to navigate to: http://techtrainsolutions.com/Files/Default.aspx - - You'll be directed back to the login because of this: – Scott Marcus Mar 14 '16 at 15:58
  • @Paddy what is the best way I should go about doing this – laurajs Mar 14 '16 at 15:59
  • @laurajs This is the best way... Assuming you have roles defined. Paddy is incorrect about the security trimming. See my last comment. – Scott Marcus Mar 14 '16 at 16:00
  • @ScottMarcus I am trying this out, I have made the change 'code' 'code' to the web config file but how do i actually get on the WSAT website to set the roles? – laurajs Mar 14 '16 at 16:00
  • By the way Security Trimming is how SharePoint implements it's user security. – Scott Marcus Mar 14 '16 at 16:00
  • @laurajs Does this help:https://msdn.microsoft.com/en-us/library/5k850zwb(v=vs.100).aspx – Scott Marcus Mar 14 '16 at 16:04
  • @ScottMarcus I have went on this before but it does not tell me how I actually get on the the WSAT page to grant the permissions to certain users. – laurajs Mar 14 '16 at 16:07
  • I'm sorry. Can you tell me what "WSAT" is? – Scott Marcus Mar 14 '16 at 16:08
  • @ScottMarcus the asp.net website administration tool – laurajs Mar 14 '16 at 16:10
  • LOL! Sorry, I just never used its acronym! "To access the Web Site Administration Tool, on the Website menu, click ASP.Net Configuration." – Scott Marcus Mar 14 '16 at 16:11
  • @ScottMarcus this appears to be visual studio 2010 - when i go to the website tab asp.net conficutration does not appear - I am using visual studio 2013 – laurajs Mar 14 '16 at 16:21
  • Sorry, I didn't know that. I believe this will help: http://stackoverflow.com/questions/20541680/visual-studio-2013-and-asp-net-web-configuration-tool – Scott Marcus Mar 14 '16 at 16:23
  • Awh I am so lost in need of serious help :( – laurajs Mar 14 '16 at 16:57
  • @ScottMarcus is there any way of messaging you – laurajs Mar 14 '16 at 17:04