• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 484
  • Last Modified:

Sitemap based menu: Permissions not working properly (ASP.Net)

We have the following sitemap file:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0">
  <siteMapNode url="" title="Home" description="Home" roles="*" >
    <siteMapNode url="~/Inicio.aspx" title="Inicio" description="Inicio" roles="*" />
    <siteMapNode url="" title="Manutenção" description="Manutenção" roles="Tabelas Auxiliares - Consultar">
      <siteMapNode url="~/Manutencao/GuiaPosicionamento.aspx" title="Guia de Posicionamento" description="Guia de Posicionamento" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/CustoMO.aspx" title="Custo de Mão de Obra" description="Custo de Mão de Obra" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Vendas.aspx" title="Vendas" description="Vendas" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Projeccoes.aspx" title="Projecções" description="Projecções" roles="Tabelas Auxiliares - Consultar" />
    </siteMapNode>
    <siteMapNode url="" title="Funcionários" description="Funcionários" roles="Cadastro - Consultar">
      <siteMapNode url="" title="Funcionários" description="Funcionários" roles="Cadastro - Consultar">
        <siteMapNode url="~/Cadastro/FichaAdmissao.aspx" title="Ficha Admissão" description="Ficha Admissão" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Cadastro/FichaIndividual.aspx" title="Ficha Individual" description="Ficha Individual" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Cadastro/FichaCadastro.aspx" title="Ficha Cadastro" description="Ficha Cadastro" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Cadastro/FichaValidacao.aspx" title="Ficha Validação" description="Ficha Validação" roles="SGP" />
      </siteMapNode>
      <siteMapNode title="Disponibilidades" description="Disponibilidades" url="~/Horario/Disponibilidades.aspx" roles="Disponibilidades &amp; Indisponibilidades - Consultar" />
      <siteMapNode title="Ausências Previstas" description="Ausências Previstas" url="~/Horario/Indisponibilidades.aspx" roles="Disponibilidades &amp; Indisponibilidades - Consultar" />
      <siteMapNode title="Absentismo" description="Absentismo" url="~/Picagens/Absentismo.aspx" roles="Absentismo &amp; Banco de Horas - Consultar" />
      <siteMapNode title="Banco de Horas" description="Banco de Horas" url="~/Picagens/BancoHoras.aspx" roles="Absentismo &amp; Banco de Horas - Consultar" />
      <siteMapNode title="Formação" description="Formação" roles="Formação &amp; Medicina do Trabalho - Consultar" />
      <siteMapNode title="Medicina do Trabalho" description="Medicina do Trabalho" roles="Formação &amp; Medicina do Trabalho - Consultar" />
      <siteMapNode title="Sanções &amp; Louvores" description="Sanções &amp; Louvores" roles="SGP; Franqueado; Supervisor de Operações" />
    </siteMapNode>
    <siteMapNode url="" title="Horários" description="Horários" roles="Horários - Consultar">
      <siteMapNode url="~/Horario/PrevisaoMO.aspx" title="Previsão MO" description="Previsão MO" roles="Horários - Consultar" />
      <siteMapNode url="~/Horario/Planificacao.aspx" title="Planificação" description="Planificação" roles="Horários - Consultar" />
      <siteMapNode url="~/Horario/HorarioSemanal.aspx" title="Horário Semanal" description="Horário Semanal" roles="Horários - Consultar" />
      <siteMapNode url="~/Horario/HorarioACT.aspx" title="Horário ACT" description="Horário ACT" roles="Horários - Consultar" />
      <siteMapNode url="~/Horario/AnaliseDesvios.aspx" title="Análise de Desvios" description="Análise de Desvios" roles="Horários - Consultar" />
      <siteMapNode url="~/Picagens/Picagem.aspx" title="Picagem" description="Picagem" roles="Horários - Consultar" />
      <siteMapNode url="~/Picagens/CorreccaoDesvios.aspx" title="Correcção de Desvios" description="Correcção de Desvios" roles="Horários - Consultar" />
    </siteMapNode>
    <siteMapNode url="" title="Gestão" description="Management" roles="SGP; Franqueado; Supervisor de Operações">
      <siteMapNode url="~/Management/CreateUser.aspx" title="Criar Utilizador" description="Criar Utilizador" roles="SGP; Franqueado; Supervisor de Operações" />
      <siteMapNode url="~/Management/ManageUsers.aspx" title="Gerir Utilizadores" description="Gerir Utilizadores" roles="SGP; Franqueado; Supervisor de Operações" />
      <siteMapNode url="~/Management/ManageRoles.aspx" title="Gerir Funções" description="Gerir Funções" roles="SGP" />
      <siteMapNode title="Intervalos Horários" description="Intervalos Horários" url="~/Management/IntervalosHoras.aspx" roles="SGP" />
    </siteMapNode>
    <siteMapNode url="" title="Listagens" description="Listagens" roles="SGP">
      <siteMapNode url="~/Listagens/Audit.aspx" title="Audit" description="Audit" roles="SGP" />
    </siteMapNode>
    <siteMapNode url="~/CopyofInicio.aspx" title="About" description="About" roles="SGP" />
  </siteMapNode>
</siteMap>

Open in new window

to which we apply a Menu control via a SiteMapDataSource. However, it doesn't work as it should. For example, the first and last (the ones that have no child menus) are always shown. Also, If you can see the parent menu, you can always see the child menus.

Now, I know we can block their access through the web.config. That isn't our intention (especially because they can't access the page anyway. It checks for roles at page load from code-behind). What we want is for users that have less permissions to not even see the menu options that aren't available to them.

We've tried many variations, but so far, we can't get one to work the way we want to.
If necessary, some solution based on code-behind (we're using VB.Net) that would involve creating the menu at login would be acceptable (though a working sitemap+menu would be preferable).
0
Cluskitt
Asked:
Cluskitt
  • 6
1 Solution
 
richard_hughesCommented:
Hello Cluskitt

Here is an Experts-Exchange article which may be able to answer your question:

http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/A_5261-Control-Visible-Menus-with-web-sitemap.html

Thanks,

Richard Hughes
0
 
CluskittAuthor Commented:
I'm not quite sure how that would translate to our needs. Other than roles, I don't have a property for sitemap node that I can use to store roles, so I can later check them with code behind to add or remove menu items. And I certainly don't want to let the users select their menus.

The only thing I can take from that site is that I can use pure VB to add menu items dynamically after login event, which I didn't wish to do, if at all possible. I would rather have a working solution with similar behaviour. And I can't believe that there isn't anything like this on the web. I've seen lots of different sites use similar things. I find it hard to believe there isn't any simple solution for this.

From what I read, the above sitemap should be working fine, except that it isn't, for some reason. That is what I would like to fix, or at the very least, understand why it doesn't work properly.
0
 
CluskittAuthor Commented:
Any solution that is simple and allows different menus for different users based on their role would be good.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Vikram Singh SainiSoftware Engineer cum AD DeveloperCommented:
Hi,

You need to use feature called SiteMap Security Trimming. Following links help you achieve objective:

1. ASP.NET Site-Map Security Trimming

2. ASP.NET Menu and SiteMap Security Trimming (plus a trick for when your menu and security don't match up)

3. Creating a role based ASP.NET menu
0
 
CluskittAuthor Commented:
I will look into these, will get back as soon as possible. Thanks in advance.
0
 
CluskittAuthor Commented:
Ok, I've had time to look into it. It didn't have anything really that could help me. I already have security trimming enabled. The problem is that mixed roles in the same menu won't work. For example, from the current file:
    <siteMapNode url="~/Inicio.aspx" title="Inicio" description="Inicio" roles="*" />
    <siteMapNode url="" title="Manutenção" description="Manutenção" roles="Tabelas Auxiliares - Consultar">
      <siteMapNode url="~/Manutencao/GuiaPosicionamento.aspx" title="Guia de Posicionamento" description="Guia de Posicionamento" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/CustoMO.aspx" title="Custo de Mão de Obra" description="Custo de Mão de Obra" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Vendas.aspx" title="Vendas" description="Vendas" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/VendasPicagem.aspx" title="Vendas - Recolha Automática" description="Vendas - Recolha Automática" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Projeccoes.aspx" title="Projecções" description="Projecções" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/HorariosFixos.aspx" title="Horários Fixos" description="Horários Fixos" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/Cursos.aspx" title="Cursos" description="Cursos" roles="Tabelas Auxiliares - Consultar" />
      <siteMapNode url="~/Manutencao/IntervalosHoras.aspx" title="Intervalos Horários" description="Intervalos Horários" roles="Tabelas Auxiliares - Consultar" />
    </siteMapNode>
    <siteMapNode url="" title="Funcionários" description="Funcionários" roles="Formação E Medicina do Trabalho - Consultar, Banco de Horas - Consultar, Cadastro - Consultar, SGP, Horários E Disponibilidades Individuais - Consultar, Ausências Absentismo E Férias - Consultar">
      <siteMapNode url="" title="Funcionários" description="Funcionários" roles="Cadastro - Consultar, SGP">
        <siteMapNode url="~/Funcionarios/Cadastro/FichaAdmissao.aspx" title="Ficha Admissão" description="Ficha Admissão" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Funcionarios/Cadastro/FichaIndividual.aspx" title="Ficha Individual" description="Ficha Individual" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Funcionarios/Cadastro/FichaCadastro.aspx" title="Ficha Cadastro" description="Ficha Cadastro" roles="Cadastro - Consultar" />
        <siteMapNode url="~/Funcionarios/Cadastro/FichaValidacao.aspx" title="Ficha Validação" description="Ficha Validação" roles="SGP" />
      </siteMapNode>
      <siteMapNode url="~/Funcionarios/Disponibilidades.aspx" title="Disponibilidades" description="Disponibilidades" roles="Horários E Disponibilidades Individuais - Consultar" />
      <siteMapNode url="~/Funcionarios/AlteracoesHorario.aspx" title="Alteração de Horário" description="Alteração de Horário" roles="Horários E Disponibilidades Individuais - Consultar,Ausências Absentismo E Férias - Consultar" />
      <siteMapNode url="~/Funcionarios/BancoHoras.aspx" title="Banco de Horas" description="Banco de Horas" roles="Banco de Horas - Consultar" />
      <siteMapNode url="~/Funcionarios/Formacao.aspx" title="Formação" description="Formação" roles="Formação E Medicina do Trabalho - Consultar" />
      <siteMapNode url="~/Funcionarios/Medicina.aspx" title="Medicina do Trabalho" description="Medicina do Trabalho" roles="Formação E Medicina do Trabalho - Consultar" />
      <siteMapNode url="~/Funcionarios/Disciplina.aspx" title="Sanções E Louvores" description="Sanções E Louvores" roles="SGP" />
    </siteMapNode>

Open in new window

Everyone can see the first node (Início). Only those that have the role "Tabelas Auxiliares - Consultar" can see the second node. This, so far, is as it should be. But the problem happens in the third node. For example, someone that has the node "SGP" and none other, should only see "Funcionários" and the submenu "Ficha Validação", those being the only ones that have the "SGP" role requirement, along with the last one. Instead, what happens is that the user sees the whole menu. The code behind prevents the user from accessing it, but he can still see the menu. As long as he has one of the roles in any of the sub nodes, he can see the whole node structure. That's what we would like to fix.
0
 
CluskittAuthor Commented:
Ok, after a lot of trying and searching, I found an answer, but I had to use code-behind. I was trying to avoid it, but this is general enough that only changes to the sitemap need to be made each time:
  Protected Sub MainMenu_MenuItemDataBound(sender As Object, e As System.Web.UI.WebControls.MenuEventArgs) Handles MainMenu.MenuItemDataBound
    Dim node As SiteMapNode = e.Item.DataItem
    For Each rl In node.Roles
      If HttpContext.Current.User.IsInRole(rl.ToString) Or rl.ToString = "*" Then
        Exit Sub
      End If
    Next
    If Not e.Item.Parent Is Nothing Then
      e.Item.Parent.ChildItems.Remove(e.Item)
    Else
      MainMenu.Items.Remove(e.Item)
    End If
  End Sub

Open in new window

0
 
CluskittAuthor Commented:
This does the job as required and was the only working solution I found.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now