Serious help needed with beta 2.0 SiteMapProvider..

[RCS]

All,

OK, so I'm working on a template for our new ASP.NET applications. Part of
this, includes using the new menu and breadcrumbs control in ASP.NET 2.0
(I'm using beta 2).

I put the hierarchy of the applications and navigation in a database, and am
able to pull that into the app by inheriting StaticSiteMapProvider. So
that's set and works great.

So then I realize that it builds the sitemap at the application level, not
at the user level. So I've been looking into how to restrict the menu
items - based on security I will get from the database.

In my inherited class, I override IsAccessibleToUser - and that seems to
work for the breadcrumbs (because it doesn't show anything if I go to an
"invalid" page) - but it doesn't do anything to the menu (or the treeview
either, for that matter). I basically check a couple hard-coded "roles" to
the "roles" that are associated with the current node.

From what I've been piecing together, it looks like the menu will only trim
away the unwanted menu items if the provider has the
securityTrimmingEnabled="true" - but when I try to add that to the
<providers> section in web.config - I get a red-squiggly and a compiler
warning that it's invalid (where it used to be valid in old versions).

BOTTOM LINE:
I need to prune the menu hierarchy based on user permissions. One user may
only see literally one item and another user may see a few dozen - or at
least that's what I need to replicate.

How can I have the menu control (or the treeview) prune away the things that
the current user isn't supposed to see??

 

[RedEye]

Have you tried to using the roles attribute in the site map file?

<siteMap>
<siteMapNode title="Home" description="" url="default.aspx">
<siteMapNode title="Announcements" url="Announcements.aspx"
description="Information for all employees" roles="*" />
<siteMapNode title="Salaries" url="Salaries.aspx"
description="Salary data" roles="Managers,CEOs" />
<siteMapNode>
</siteMap>

I hope this helps


RedEye

 

[RCS]

Well, I'm creating the sitemap on the fly - but yes, this is exactly what
I'm doing.

The problem comes in with telling this sitemap (and the menu or the
treeview) that the currently logged in user does not have access to that
"Salaries" node in your example below.

And the academic solution from Microsoft is to put the users in your
web.config and use an <authorization> section to allow/deny people. But I
have a few thousand dynamic users - so I need to programatically validate
whether a user (and I know their roles) is supposed to see a particular node
item (which has a role associated).

*How* do I accomplish this?

 

[Scott Allen]

Hi RCS:

It's true, you must use securityTrimmingEnabled="true". This works
well.

Ignore the red squiggly line. Unfortunately, the validation in VS 2005
can only take into consideration the settings that are common to all
site map providers. The securityTrimmingEnabled attribute is a setting
specific to the Xml site map provider that ships with asp.net 2.0. It
works, even though the IDE doesn't know about it, the provider does.

It's jus a case of the validation being a little overzealous.

 

[RCS]

Scott - thanks..

Even if I do do this, A) if I do this in my page_load:

Response.Write(this.SiteMapDataSource1.Provider.SecurityTrimmingEnabled.ToString());

(Assuming that SiteMapDataSource1 points to my custom SiteMapProvider) - it
returns false. Then, in my class, I do this, to overwrite the default
implementation:

public new bool SecurityTrimmingEnabled = true;

Still - same result. It's beginning to look like I need to inherit from
higher up the tree - like SiteMapProvider (instead of
StaticSiteMapProvider) - or XmlSiteMapProvider or ProviderBase

But even if I did - and managed to get that to work, I'm not sure it will
solve my problem. Because at this point, I'm almost convinced that MY
sitemaprovider truly doesn't support SecurityTrimmingEnabled - and I don't
know where to begin, to make it support it.


Lastly - I could've solved all of this last week, if I could just build a
sitemap on a per-user basis (instead of per-application). I could handle all
the security in the database and just return the valid menu items for this
user.

Any ideas on how to make a sitemapprovider (and more specifically - a
SiteMapDataSource) - able to be used on a per-user basis???? Thanks again!

 

[Scott Allen]

Hi Rcs:

You can always plug your own custom site map provider in, although
I've been using security trimming so that should work. It will build
the menu control such that the user only sees what they are allowed to
navigate to.

In the providers section, did you have a <remove> element in to make
sure it's not using the default configuration?

 

[RCS]

Hiya,

I'm already doing that - I inherited from StaticSiteMapProvider - and the
menu is populated correctly with ALL possible menu options (from a SQL
databsae) - including menu options inappropriate for some users.

Assuming my inherited is named MySiteMapProvider - I have this in my
web.config:

<siteMap defaultProvider="MySiteMapProvider" enabled="true">
<providers>
<clear/>
<add name="MySiteMapProvider" securityTrimmingEnabled="true"
type="MySiteMapProvider"></add>
</providers>
</siteMap>

And again - my provider works perfectly. The problem is, I need to prune
back menu items (or nodes within the provider) so that the current user sees
the appropriate menu items.

I think I've hit the end of the Internet - I've scoured every resource I
know and I'm pretty much at a standstill.

thanks again!

 

[Scott Allen]

I know there is not a tremendous amount published yet in this area.
Best of luck.

 

[Guest]

Not much except for here: http://msdn2.microsoft.com/library/e468hxky.aspx
Some good forum posts at
http://forums.asp.net/search/SearchResults.aspx?q=securitytrimming&f=&u= too.

--JF

 

[sobreiro]

it solved my problem, hope it helps.

public override bool IsAccessibleToUser(HttpContext context, SiteMapNode node)

{

if (node == null)

throw new ArgumentNullException("node");



if (context == null)

throw new ArgumentNullException("context");



if (!this.SecurityTrimmingEnabled)

return true;



if ((node.Roles != null) && (node.Roles.Count > 0))

{

foreach (string role in node.Roles)

{

if (!string.Equals(role, "*", StringComparison.InvariantCultureIgnoreCase) &&

((context.User == null) || !context.User.IsInRole(role)))

{

continue;

}



return true;

}

}



return false;

}

 

[tomddean]

sobreiro, thanks, this solved my problem. Just registered to say that, cause it's been quite frustrating!

I have a custom sitemapprovider and a custom roleprovider and I could see that the framework was in fact using both -- I could see it call IsAccessibleToUser in my sitemapprovider, and then see my roleprovider would get hit. However, my assumption that using base.IsAccessibleTouser() in the sitemapprovider would actually COMPARE the roles returned from my roleprovider with the roles on the node parameter was apparently WRONG! (I could look at the results of GetRoles and node.Roles and they were both being set properly.) It simply returned true everytime. After manually comparing the lists as you did, everything worked great. Thanks for posting this!

 

[connectingvivek]

What I am doin almost the same,if we try using as many sitemaps as the type of users.

Hi,

What if we try using as many sitemaps as the type of users.
Ex AdminMap.sitemap, Client.sitemap
and configure in web.config
then programmatically assign them?
(avoid db oriented menu nodes i mean static)

Regards
Vivek
:hmm2: