I am new to ASP.Net and have inherited a large web application that contains many pages and user roles/permissions.
Role1 = Read only access - all pages - deny access to finance & administration
Role2 = Read only access - all pages including finance - deny access to administration.
Role3 = Read/Write access - deny access to finance & admin pages
All pages are in the app's root directory and use the same master page.
The app is menu based and each area of functionality has a main page with links to more detailed pages.
The current setup is that user roles are checked in a main page's Page_Load event.
If the user role is 'access denied' - all controls are hidden and an access denied message is displayed (the message is not consistent).
If the user role is read only access - all input controls are disabled.
The problem is:
A. only the main pages of each functional area are checked to see if the user role denies access, no checks are
done on any detail pages.
B. checks for read only access and disabling of controls is performed within each individual page.
What I would like to do is programatically redirect the user to a custom 'Access Denied' page or
disable controls for read only access based on the user role in VB.Net.
I was planning to write some functions like:
Public Sub SetUserAccess(ByRef wPage as Page)
userRole = GetRole()
Select Case UserRole
Exit sub 'admin has access to everything
if isFinancePage(wPage) or isAdminPage(wPage)
redirect to AccessDeniedPage
DisablePageControls(wPage) /iterate thru the page controls and disable for read only
redirect to login page if can't determine user role
Is this a good approach given that the app's owner doesn't want major changes to the app structure?
where would be the best place to call this function from ?
What's the best way to keep track of Finance or Admin related pages? Most of the files related to Finance include the words 'Finance' or 'Accounts' so is there a way to use this rather than list each aspx file separately?