The organization of differentiation of the rights of the user on operations in an ASP.NET-application
In many multi-user web applications, it is necessary to distinguish between users' rights to operations. For example, all operations are available to the system administrator, for the ordinary user only some, for example, you cannot delete or edit records, etc.
From the point of view of the user of the web application, the operation is represented by a control — a button, a link — with which this operation can be started (the function of the DLL (DAL - DB) levels is called). Therefore, in order to distinguish between user rights for operations, in the simplest case, it is sufficient to distinguish between the rights to the controls.
')
For this, a database can be organized in the database suitable for the needs of the application. When a user is authorized from this structure, in his UserProfile, information about operations prohibited for him (or allowed, if it is more convenient) is read into the NotAccessOperations table:
The controls, which should be selectively available to users depending on their rights, let them implement the IAccessControl interface, which describes properties that correspond to a certain structure of user access to operations:
It is desirable that the processing of all IAccessControl controls for their accessibility to the user is carried out in one place in a certain uniform way, for example, was moved to a separate class:
An implementation of IAccessControl controls can be, for example, like this:
From the point of view of the user of the web application, the operation is represented by a control — a button, a link — with which this operation can be started (the function of the DLL (DAL - DB) levels is called). Therefore, in order to distinguish between user rights for operations, in the simplest case, it is sufficient to distinguish between the rights to the controls.
')
For this, a database can be organized in the database suitable for the needs of the application. When a user is authorized from this structure, in his UserProfile, information about operations prohibited for him (or allowed, if it is more convenient) is read into the NotAccessOperations table:
public class UserProfile
{
...
Hashtable notAccessOperations = new Hashtable();
public Hashtable NotAccessOperations
{
get { return notAccessOperations; }
}
...
}The controls, which should be selectively available to users depending on their rights, let them implement the IAccessControl interface, which describes properties that correspond to a certain structure of user access to operations:
public interface IAccessControl
{
...
string IdGroup { get;set;}
...
}It is desirable that the processing of all IAccessControl controls for their accessibility to the user is carried out in one place in a certain uniform way, for example, was moved to a separate class:
public static class UserAccessController
{
...
public static void ResoleUserAccess(WebControl ctrl)
{
...
// ,
if (((UserProfile)HttpContext.Current.Session["UserProfile"]).NotAccessOperations.Contains(((IAccessControl)ctrl).IdGroup))
{
ctrl.Visible = false;
}
...
}
...
}An implementation of IAccessControl controls can be, for example, like this:
public class SomeCommandButton : CompositeControl, IAccessControl
{
...
public string IdGroup
{
set { ViewState["IdGroup"] = value; }
get
{
object o = ViewState["IdGroup"];
return (o != null) ? (string)ViewState["IdGroup"] : "";
}
}
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
UserAccessController.ResoleUserAccess(this);
}
...
}
Source: https://habr.com/ru/post/73238/
All Articles