asp.netmenusecurity-trimming

roles based menu does not work, what am I doing wrong?


I can't figure this one out.

Yet, when the page is rendered, I see the Get account node that is supposed to be trimmed when I'm not even logged in, no matter what.

I'm using ASP.NET 4.0, and URL-rewritting with an HttpModule.


Solution

  • In reading http://forums.asp.net/t/975077.aspx/1 I found out that this is exactly what is happening to me.

    If the node doesn't have an URL it behaves fine, but if it does, like all of my nodes do. Security trimming is just ignored.

    I resolved my problem by resorting to a more intuitive role based site map implementation, to say:

    public class TrimmingXmlSiteMapProvider : XmlSiteMapProvider
    {
        public override bool IsAccessibleToUser(HttpContext context, SiteMapNode node)
        {
            if (node.Roles.Cast<string>().Any(r => r == "*"))
                return true;
    
            if (node.Roles.Count > 0 && node.Roles.Cast<string>().Count(Roles.IsUserInRole) == 0)
                return false;
    
            return node.ParentNode != null && node.ParentNode.IsAccessibleToUser(context);
        }
    }
    

    Then, the only change I had to make was add an asterisk to the root level's role definition.

    How does this work?

    First I check if any of the roles definied for this node is an asterisk, if that's the case, then I can see the node.

    Second, if the node isn't everyone-level, I check if there are any roles specified, and if the logged in user is part of at least one of them.

    Lastly, I check if there is a parent node, and just inherit their rule.

    This allows the security trimming to actually be "SECURITY TRIMMING" and not well, however the heck it's supposed to be working by default.