I have two roles being used on my site currently, author & admin. Authors cannot access user administration functions. However, they should be able to edit certain parts of their profile. An admin is currently able to edit all parts of a user's profile. For example:
employee ID [admin]
display name [author,admin]
roles [admin]
I would like to re-use code where possible. I'm not sure what the best solution would be here. There are 2 things to deal with
Only allowing a user to edit their own profile and not others
Restricting which fields that user can edit vs which fields an admin can edit
I think #1 is best achieved by a custom Authorize attribute (I already have one I can extend further). If you have a better approach please share. And #2 I am unsure, view model? I have my allowed fields bound for a user using a partial class which would be different for each role.
Your solution for #1 is spot on, you need to use the AuthorizeAttribute.
For #2 you can just do security trimming where you only render for the particular user.
Some pseudo code in your view (or move it to a partial view):
if administrator
render employee ID text box
if administrator || author
render display name text box
if administrator
render roles check list
So you're going to need to control how to determine if the user is in a "role". You can use ASP.NET's Membership Provider or roll something of your own.
Related
I am developing a mvc 5 web application which allow user to select language and currency to be displayed to them, in which the choice of language and currency they selected is expected to be retrievable throughout the controller and view.
Do note that the user i referring here is anonymous user (which is user that do not log in) so i do not intend to save their selection to database.
I am thinking of using session to store the selection. However, it seems not a good choice of to me as these are only two values that i need to store in session. Is there any other better alternative?
An alternative is to put language in url
{language}/{controller}/{action}/{id}
e.g.
en/home/index
fr/home/index
Advantage is that the url is bookmarkable and clearer
An example implementation: http://adamyan.blogspot.sg/2010/07/addition-to-aspnet-mvc-localization.html
For currency, I'll probably determine it from the culture of user, or at least use that value as default for first time user. If you want to let user be able to change it, cookie is fine in my opinion.
I know you can set the authorize attribute at and the controller level and at the action leve, but lets say I have a table in a view and I want some users to be able to only see certain columns and some users can edit certain columns. How can I achieve this?
You'd filter the grid based on the user/role (in the controller action that builds the grid). Same for edit feature. Hide/display the edit button for certain users.
There is no out of the box declarative security solution I know about for such granular level like a view parts. You should build the views on your own and allow to render some of its parts based on the set of roles some users have and some users don't. You can also create separate partial views depends on how much they are going to differ based on the authorization levels in your system.
Say there are three roles, namely:
Registered
Administrator
Sponsor
I'd like users to be able to self-register as Registered (easy enough out-of-box).
I'd like an Administrator to be able to see all registered users and check off the "Sponsor" checkbox, making the user a Sponsor.
Once the user is "checked" as a Sponsor, the Administrator should be able to add additional parameters for the Sponsor, including logo and Sponsor URL, which webpage(s) they are sponsoring, the valid date range for the sponsorship by webpage, the number of impressions and clicks, and also "paid/not paid".
I'm trying to wrap my head around Memberships and Profiles, and see how they apply to this.
Can anyone provide a general framework as to how I can properly architect this? Are there Nuget packages to do just this?
Advice appreciated.
Maybe my answer to another question will help a bit Using out of the box aspnet membership for public facing website
In Nuget - Thinktecture.IdentityModel is a way to go.
Use the table profile provider.
You can then edit the values in this table directly through a simple page.
Excluding the profile provider, is there an easy way to add custom fields to ASP.NET membership?
You can then use the web interface to assign a user to a role as an admin:
http://msdn.microsoft.com/en-us/library/t32yf0a9.aspx
Or simply code this page and use Roles.AddUserToRole
http://msdn.microsoft.com/en-us/library/system.web.security.roles.addusertorole.aspx
I am developing a web application which will deal with online examination. The requirement is:
There can be n-number of sections in
an exam and admin users should be
able to create questions/answers and
add to an exam.
The questions should be displayed
for a certain amount of time in the
browser with timeclock and it should
move to next question automatically.
User should not be allowed to open any other instance of the browser or login from another IP if the exam is in progress.
I am seeking community vote of how would someone design the application to meet all these criterias? What patterns should be used? What components can help to reduce the development time etc..
My technology stack is C#, ASP.NET MVC or ASP.NET with SQL Server.
Thanks in advance!!!
Rather than re-invent the wheel, you should look at a solution such as the Open Source DotNetNuke and either buy/build an extension for the portion specific to your scenario.
I think for the user app, you should consider a Silverlight app as this will give you granular and secure control over the experience.
Overall the solution would be like this:
DotNetNuke provides the foundation portal/Content Management so you can create a highly customized experience around the exam experience including support for user management etc.
The DotNetNuke extension would enable authorized administrators to manage exams and exam questions.
A webservice wrapper would provide access to the business controller used by the DotNetNuke extension.
A Silverlight app would interact with the webservice to enable authenticated users to take their exams
Overall, such a solution would give you a high degree of control over the user experience while enabling you to focus time/resources that are only specific to your situation while leveraging an existing, robust and popular solution on which to build your solution.
(Full disclosure: I am one of the co-founders of the company that manages DotNetNuke. In fairness, you can replace my suggestion for DotNetNuke with Orchard or Umbraco and the solution would be equally valid.)
For the Database side of things you would want something like:
Table Exams (ExamID, ExamName) //to hold all exams
Table Users(UserID, Username, Login, Password) //to hold all users
Table OpenExams(Exam_ID, User_ID) //to hold open exams
Table ExamSections(SectionID, Exam_ID, SectionName) //to hold sections of exams
Table Questions(QuestionID, Section_ID, QuestionName, Question, Answer) //to hold questions
This of course at its most basic and only 1 approach of many. You would need to add fields where required.
As for item 2, i would probably do it in the application layer (or in VS). I dont have much experience in web dev, but i would think that ASP could handle that. For item 3, you could run a simple SQl statement to get if the user trying to access the exam is currently taking the exam.
Lets also start mapping the processes:
User:
1. User logs in (to prevent multiple exams by one user).
2. User "starts" an exam -> Time is noted on the server-side and timer triggered on client-side. User gets a dynamic exam page 1.
3. User is done with page 1, clicks next -> Ajax-reloading the page content (the questions part). Timer for page 2 is started (server and client side)
3.a) detected login from a different IP - session broken, user marked as cheater :) or the login is simply rejected.
User times out on page 2 -> the page content (answers) are automatically submited. the timers are set for page 3. user gets page 3.
User clicks finish -> the exam is finished.
Admin:
Logs in -> show "add exam" option and table of existing exams
Adds an exam - open "exam page", add a new "exam" entity
Adds a page - > new "page" entity added to this exam, questions table is loaded in the gui
adds a question -> new "question" object added to page
end page -> the page is saved. options for end exam or add page are here.
add page -> go to step 3
finish exam -> save exam
optionally mark exam as "active/inactive"
add tables with "students" and their results and stuff like that.
This needs a lot of work, but when you have this you have the idea of what you need to put in your design.
I have an asp.net page which uses the asp membership control. I want to use the user comment field to hold an additional piece of information. I'm creating the user via the Web Site Administration Tool.
So how would I access the comment field and write it to the page?
Ok I'm not totally mad (well maybe but that's my state of mind!).
the comment field lives in the aspnet_Membership table if you create a user and go to manage that user you see it has a Description labelled text box this maps through to the Comment field.
Maybe I'm using the wrong terms! sorry...
I don't quite understand what "comment field" you are talking about, because the default Web Site Administration Tool created users don't have such fields.
If you want to create such a field you would need to implement different MembershipProvider class or work with Profile properties
I would recommend you to read these articles first:
Examining ASP.NET's Membership, Roles, and Profile
Storing Additional User Information
EDIT:
For that particular "Description" field (wich I'm sure wasn't there when I was looking for it >.<), it really puts data into "aspnet_Membership" table "Comment" column.
You can easily access it with MembershipUser class:
#{MembershipUser user = Membership.GetUser();}
#if ( user != null)
{
#user.Comment
}
Razor syntax
EDIT
Membership.GetUser() support simple overrides so you don't really need to use Context.User.Identity.Name as parameter for currently logged-on user.
Gotta go with Ilya on this one... I'm not seeing a "comment" field in my instance of Web Site Adminstration.
But, a possible answer to your question would be ASP.NET Profiles:
http://weblogs.asp.net/scottgu/archive/2005/10/18/427754.aspx