asked on

Sitemap based menu: Permissions not working properly (ASP.Net)

We have the following sitemap file:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0">
  <siteMapNode url="" title="Home" description="Home" roles="*" >
    <siteMapNode url="~/Inicio.aspx" title="Inicio" description="Inicio" roles="*" />
    <siteMapNode url="" title="Manutenção" description="Manutenção" roles="Tabelas Auxiliares - Consultar">
      <siteMapNode url="~/Manutencao/GuiaPosicionamento.aspx" title="Guia de Posicionamento" description="Guia de Posicionamento" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/CustoMO.aspx" title="Custo de Mão de Obra" description="Custo de Mão de Obra" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Vendas.aspx" title="Vendas" description="Vendas" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Projeccoes.aspx" title="Projecções" description="Projecções" roles="Tabelas Auxiliares - Consultar" />
    </siteMapNode>
    <siteMapNode url="" title="Funcionários" description="Funcionários" roles="Cadastro - Consultar">
      <siteMapNode url="" title="Funcionários" description="Funcionários" roles="Cadastro - Consultar">
        <siteMapNode url="~/Cadastro/FichaAdmissao.aspx" title="Ficha Admissão" description="Ficha Admissão" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Cadastro/FichaIndividual.aspx" title="Ficha Individual" description="Ficha Individual" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Cadastro/FichaCadastro.aspx" title="Ficha Cadastro" description="Ficha Cadastro" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Cadastro/FichaValidacao.aspx" title="Ficha Validação" description="Ficha Validação" roles="SGP" />
      </siteMapNode>
      <siteMapNode title="Disponibilidades" description="Disponibilidades" url="~/Horario/Disponibilidades.aspx" roles="Disponibilidades &amp; Indisponibilidades - Consultar" />
      <siteMapNode title="Ausências Previstas" description="Ausências Previstas" url="~/Horario/Indisponibilidades.aspx" roles="Disponibilidades &amp; Indisponibilidades - Consultar" />
      <siteMapNode title="Absentismo" description="Absentismo" url="~/Picagens/Absentismo.aspx" roles="Absentismo &amp; Banco de Horas - Consultar" />
      <siteMapNode title="Banco de Horas" description="Banco de Horas" url="~/Picagens/BancoHoras.aspx" roles="Absentismo &amp; Banco de Horas - Consultar" />
      <siteMapNode title="Formação" description="Formação" roles="Formação &amp; Medicina do Trabalho - Consultar" />
      <siteMapNode title="Medicina do Trabalho" description="Medicina do Trabalho" roles="Formação &amp; Medicina do Trabalho - Consultar" />
      <siteMapNode title="Sanções &amp; Louvores" description="Sanções &amp; Louvores" roles="SGP; Franqueado; Supervisor de Operações" />
    </siteMapNode>
    <siteMapNode url="" title="Horários" description="Horários" roles="Horários - Consultar">
      <siteMapNode url="~/Horario/PrevisaoMO.aspx" title="Previsão MO" description="Previsão MO" roles="Horários - Consultar" />
      <siteMapNode url="~/Horario/Planificacao.aspx" title="Planificação" description="Planificação" roles="Horários - Consultar" />
      <siteMapNode url="~/Horario/HorarioSemanal.aspx" title="Horário Semanal" description="Horário Semanal" roles="Horários - Consultar" />
      <siteMapNode url="~/Horario/HorarioACT.aspx" title="Horário ACT" description="Horário ACT" roles="Horários - Consultar" />
      <siteMapNode url="~/Horario/AnaliseDesvios.aspx" title="Análise de Desvios" description="Análise de Desvios" roles="Horários - Consultar" />
      <siteMapNode url="~/Picagens/Picagem.aspx" title="Picagem" description="Picagem" roles="Horários - Consultar" />
      <siteMapNode url="~/Picagens/CorreccaoDesvios.aspx" title="Correcção de Desvios" description="Correcção de Desvios" roles="Horários - Consultar" />
    </siteMapNode>
    <siteMapNode url="" title="Gestão" description="Management" roles="SGP; Franqueado; Supervisor de Operações">
      <siteMapNode url="~/Management/CreateUser.aspx" title="Criar Utilizador" description="Criar Utilizador" roles="SGP; Franqueado; Supervisor de Operações" />
      <siteMapNode url="~/Management/ManageUsers.aspx" title="Gerir Utilizadores" description="Gerir Utilizadores" roles="SGP; Franqueado; Supervisor de Operações" />
      <siteMapNode url="~/Management/ManageRoles.aspx" title="Gerir Funções" description="Gerir Funções" roles="SGP" />
      <siteMapNode title="Intervalos Horários" description="Intervalos Horários" url="~/Management/IntervalosHoras.aspx" roles="SGP" />
    </siteMapNode>
    <siteMapNode url="" title="Listagens" description="Listagens" roles="SGP">
      <siteMapNode url="~/Listagens/Audit.aspx" title="Audit" description="Audit" roles="SGP" />
    </siteMapNode>
    <siteMapNode url="~/CopyofInicio.aspx" title="About" description="About" roles="SGP" />
  </siteMapNode>
</siteMap>

Open in new window

to which we apply a Menu control via a SiteMapDataSource. However, it doesn't work as it should. For example, the first and last (the ones that have no child menus) are always shown. Also, If you can see the parent menu, you can always see the child menus.

Now, I know we can block their access through the web.config. That isn't our intention (especially because they can't access the page anyway. It checks for roles at page load from code-behind). What we want is for users that have less permissions to not even see the menu options that aren't available to them.

We've tried many variations, but so far, we can't get one to work the way we want to.
If necessary, some solution based on code-behind (we're using VB.Net) that would involve creating the menu at login would be acceptable (though a working sitemap+menu would be preferable).

richard_hughes

Hello Cluskitt

Here is an Experts-Exchange article which may be able to answer your question:

https://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/A_5261-Control-Visible-Menus-with-web-sitemap.html

Thanks,

Richard Hughes

Cluskitt

ASKER

I'm not quite sure how that would translate to our needs. Other than roles, I don't have a property for sitemap node that I can use to store roles, so I can later check them with code behind to add or remove menu items. And I certainly don't want to let the users select their menus.

The only thing I can take from that site is that I can use pure VB to add menu items dynamically after login event, which I didn't wish to do, if at all possible. I would rather have a working solution with similar behaviour. And I can't believe that there isn't anything like this on the web. I've seen lots of different sites use similar things. I find it hard to believe there isn't any simple solution for this.

From what I read, the above sitemap should be working fine, except that it isn't, for some reason. That is what I would like to fix, or at the very least, understand why it doesn't work properly.

Cluskitt

ASKER

Any solution that is simple and allows different menus for different users based on their role would be good.

Vikram Singh Saini

Hi,

You need to use feature called SiteMap Security Trimming. Following links help you achieve objective:

1. ASP.NET Site-Map Security Trimming

2. ASP.NET Menu and SiteMap Security Trimming (plus a trick for when your menu and security don't match up)

3. Creating a role based ASP.NET menu

Cluskitt

ASKER

I will look into these, will get back as soon as possible. Thanks in advance.

Cluskitt

ASKER

Ok, I've had time to look into it. It didn't have anything really that could help me. I already have security trimming enabled. The problem is that mixed roles in the same menu won't work. For example, from the current file:

    <siteMapNode url="~/Inicio.aspx" title="Inicio" description="Inicio" roles="*" />
    <siteMapNode url="" title="Manutenção" description="Manutenção" roles="Tabelas Auxiliares - Consultar">
      <siteMapNode url="~/Manutencao/GuiaPosicionamento.aspx" title="Guia de Posicionamento" description="Guia de Posicionamento" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/CustoMO.aspx" title="Custo de Mão de Obra" description="Custo de Mão de Obra" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Vendas.aspx" title="Vendas" description="Vendas" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/VendasPicagem.aspx" title="Vendas - Recolha Automática" description="Vendas - Recolha Automática" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Projeccoes.aspx" title="Projecções" description="Projecções" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/HorariosFixos.aspx" title="Horários Fixos" description="Horários Fixos" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Cursos.aspx" title="Cursos" description="Cursos" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/IntervalosHoras.aspx" title="Intervalos Horários" description="Intervalos Horários" roles="Tabelas Auxiliares - Consultar" />
    </siteMapNode>
    <siteMapNode url="" title="Funcionários" description="Funcionários" roles="Formação E Medicina do Trabalho - Consultar, Banco de Horas - Consultar, Cadastro - Consultar, SGP, Horários E Disponibilidades Individuais - Consultar, Ausências Absentismo E Férias - Consultar">
      <siteMapNode url="" title="Funcionários" description="Funcionários" roles="Cadastro - Consultar, SGP">
        <siteMapNode url="~/Funcionarios/Cadastro/FichaAdmissao.aspx" title="Ficha Admissão" description="Ficha Admissão" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Funcionarios/Cadastro/FichaIndividual.aspx" title="Ficha Individual" description="Ficha Individual" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Funcionarios/Cadastro/FichaCadastro.aspx" title="Ficha Cadastro" description="Ficha Cadastro" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Funcionarios/Cadastro/FichaValidacao.aspx" title="Ficha Validação" description="Ficha Validação" roles="SGP" />
      </siteMapNode>
      <siteMapNode url="~/Funcionarios/Disponibilidades.aspx" title="Disponibilidades" description="Disponibilidades" roles="Horários E Disponibilidades Individuais - Consultar" />
      <siteMapNode url="~/Funcionarios/AlteracoesHorario.aspx" title="Alteração de Horário" description="Alteração de Horário" roles="Horários E Disponibilidades Individuais - Consultar,Ausências Absentismo E Férias - Consultar" />
      <siteMapNode url="~/Funcionarios/BancoHoras.aspx" title="Banco de Horas" description="Banco de Horas" roles="Banco de Horas - Consultar" />
      <siteMapNode url="~/Funcionarios/Formacao.aspx" title="Formação" description="Formação" roles="Formação E Medicina do Trabalho - Consultar" />
      <siteMapNode url="~/Funcionarios/Medicina.aspx" title="Medicina do Trabalho" description="Medicina do Trabalho" roles="Formação E Medicina do Trabalho - Consultar" />
      <siteMapNode url="~/Funcionarios/Disciplina.aspx" title="Sanções E Louvores" description="Sanções E Louvores" roles="SGP" />
    </siteMapNode>

Open in new window

Everyone can see the first node (Início). Only those that have the role "Tabelas Auxiliares - Consultar" can see the second node. This, so far, is as it should be. But the problem happens in the third node. For example, someone that has the node "SGP" and none other, should only see "Funcionários" and the submenu "Ficha Validação", those being the only ones that have the "SGP" role requirement, along with the last one. Instead, what happens is that the user sees the whole menu. The code behind prevents the user from accessing it, but he can still see the menu. As long as he has one of the roles in any of the sub nodes, he can see the whole node structure. That's what we would like to fix.

ASKER CERTIFIED SOLUTION

Cluskitt

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Cluskitt

ASKER

This does the job as required and was the only working solution I found.