// It obtains the action path for a custom or standard view. // Note the following: // a) You must define the related custom view (template) in the // DynamicData/PageTemplpates folder. // b) You must also define the route in the Gloab.asax file. // c) You must apply the SecurityAttribute to the tables you // want to display. // Inline syntax: // NavigateUrl='<%# ((MetaTable)Page.GetDataItem()).GetActionPath // "AnonymousList") %>'> protected string GetActionPath(string view) { string actionPath = String.Empty; // Instantiate the SecurityInformation // utility object. DynamicDataSecurity secInfo = new DynamicDataSecurity(); if (secInfo.IsUserInAdmimistrativeRole() || secInfo.IsUserInAuthenticatedRole()) { actionPath = ((MetaTable)Page.GetDataItem()).GetActionPath( PageAction.List); } else { // For non authenticated users allow limited // functionality as defined in Global.asax. actionPath = ((MetaTable)Page.GetDataItem()).GetActionPath(view); } return(actionPath); }
// Enable delete button only to allowed users. private void SetDelete(TableRow row) { // Instantiate the SecurityInformation // utility object. DynamicDataSecurity secInfo = new DynamicDataSecurity(); foreach (Control c in row.Cells[0].Controls) { // Deny delete capability to users that are // not administrators if (!secInfo.IsUserInAdmimistrativeRole() && secInfo.IsUserInAuthenticatedRole()) { // Do not allow delete. LinkButton btn = c as LinkButton; if (btn != null && btn.CommandName == DataControlCommands.DeleteCommandName) { btn.Visible = false; btn.OnClientClick = null; btn.Enabled = false; } } } }
/// <summary> /// Determine access to tables based on ASP.NET authentication /// and security attribute as applied to the tables in the /// data model. /// </summary> /// <param name="route">The route used by /// ASP.NET Dynamic Data. This is in the format /// {table}/{action}.aspx and is defined in Global.asax</param> /// <param name="table">The metadata that describes a table /// for use by Dynamic Data pages.</param> /// <param name="action">The action allowed for the table from the /// route.</param> /// <returns></returns> public IHttpHandler CreateHandler2( DynamicDataRoute route, MetaTable table, string action) { // Store the ASP.NET authenticated roles string[] roles = Roles.GetAllRoles(); // Obtain the roles that have administrative // access rights. Attribute[] adminRoles = Attribute.GetCustomAttributes(typeof(AdminRoles)); // Obtain the roles that have limited // access rights. Attribute[] anonymousRoles = Attribute.GetCustomAttributes(typeof(AnonymousRoles)); // Allow tables access based on the authenticated // roles and on the security attributes applied // to the tables. for (int i = 0; i < roles.Length; i++) { // Check if the user is an authenticated // administrator. foreach (SecurityAttribute admin in adminRoles.OfType <SecurityAttribute>()) { if ( (Roles.IsUserInRole(admin.Role)) && (admin.Action == "All") ) { // Allow complete access. return(base.CreateHandler(route, table, action)); } } // Instantiate the SecurityInformation // utility object. DynamicDataSecurity secInfo = new DynamicDataSecurity(); // Check if the user is an administrator // and is authenticated. if (secInfo.IsUserInAdmimistrativeRole()) { // Allow complete access. return(base.CreateHandler(route, table, action)); } // Check if the user is authenticated. // Allow those actions permitted by the // security attributes. if (Roles.IsUserInRole(roles[i])) { foreach (SecurityAttribute attribute in table.Attributes.OfType <SecurityAttribute>()) { // Allow access the permissible actions. if (attribute.Role == roles[i] && attribute.Action == action) { return(base.CreateHandler(route, table, action)); } } } } // Search for roles that have limited access // to the database tables. // Allow access to those tables that // are marked with the roles having limited access. // Note this check is important to allow // anonymous access; otherwise you would not // have any table showing in the scaffolded list // in the default.aspx page. foreach (SecurityAttribute anonymous in anonymousRoles.OfType <SecurityAttribute>()) { foreach (SecurityAttribute entityRole in table.Attributes.OfType <SecurityAttribute>()) { if (entityRole.Role == anonymous.Role) { // Allow limited access. return(base.CreateHandler(route, table, anonymous.Action)); } } } // No role and no attribute exist; access is denied. return(null); }