Re: What is the best approach?
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 Dec 2005 09:20:14 -0800
hi,
whats the point of "everyone" or "authenticated users" in Windows??
Management is clearer - when you have a subdir where only registered users have access you can allow the "user" role - maybe you also have "premium users" and maybe also other roles - is it easier to make the distinction between users by looking at their role membership - or do you rather like to look at users with roles and users without roles...
well thats a matter of taste.
I don't think it is unusual to put users into a standard role after registration.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
If you add someone automatically to a role upon registration there I almost don't even see a need for a role. If everybody gets it there is no need to deny access to it. So that part of the application would have no authority checking at all. Almost like creating and maintaining a role called "Every Single User". If everybody gets that role, what is the point of having the role.
This may be my ignorance. Feel free to bust me wide open.
Patrick
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:4580be63174a028c7d49216d03feb@xxxxxxxxxxxxxxxxxxxxx
Hello Andrew,
why not add them to a role programmatically upon registration? --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comThat is not good to us:
After a user (a Junior) registered in my website, he/she should be able to access all pages, except pages for Senior members, right away.
He/she can not wait for us to manually add them into a role, because we may not check new member for days.
Any other automatic ways? Thanks...
"Dominick Baier [DevelopMentor]" wrote:
Hello Andrew,
right
also read this: http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com<configuration> <system.web> <authorization> <deny users="*"/> <allow roles="Admins"/> </authorization> </system.web> </configuration> this requires me "manually" add each new registered members into a predefined role, say "Junior", "Senior", right? "Dominick Baier [DevelopMentor]" wrote:Hello Andrew,
have a look at the <authorization> element in web.config.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comHello, friends,
I implemented Forms Authentication in my asp.net app, it worked fine. However, now I have another problem:
Although a user can be authenticated, but he/she may still not be allowed to view certain pages and folders. For exampl, a junior member can not view pages for senior memebers, although he/she can log into the web site. What is the best approach to do this?
Any reference papers, sample code? Thanks.
.
- References:
- Re: What is the best approach?
- From: Patrick Allmond - Focus Consulting Inc
- Re: What is the best approach?
- Prev by Date: Re: Membership custom provider - logout function
- Next by Date: Re: Unable to update the password
- Previous by thread: Re: What is the best approach?
- Next by thread: Changing domain user password
- Index(es):
Relevant Pages
|
