Hi,
Yesterday, when I post my questions, the #1 looked like this:
if (node.Roles != null)
foreach (string rolename in node.Roles)
if (rolename == "*" || context.User.IsInRole (rolename))
return true;
It was not returning false if there were roles defined for the node and there
was no match for the user.
Marek updated the code and now it looks like this:
IList roles = node.Roles;
if (roles != null && roles.Count > 0) {
foreach (string rolename in roles)
if (rolename == "*" || context.User.IsInRole (rolename))
return true;
return false;
}
But, in the MSDN, it says that the method should return true if:
The Roles exists on node and the current user is in at least one of the
specified roles.
- or -
The current thread has an associated WindowsIdentity that has file access to
the requested URL and the URL is located within the directory structure for the
application.
- or -
The current user is authorized specifically for the requested URL in the
authorization element for the current application and the URL is located within
the directory structure for the application.
In my opinion #1 should not return false at all. It should go and check for #2
and/or #3. The update Marek made is working for the case where no url is
defined for the node. But what happens if the node has an url, a role is
defined for that node, the user is not in that role, but the user is
specifically authorized for the requested url in the authorization element? It
will return false, but it should return true...
I think the correct code should look something like this:
/* 1. */
IList roles = node.Roles;
if (roles != null && roles.Count > 0) {
foreach (string rolename in roles)
if (rolename == "*" || context.User.IsInRole (rolename))
return true;
}
/* 2. */
/* XXX */
/* 3. */
string url = node.Url;
if(!String.IsNullOrEmpty(url)) {
// TODO check url is located within the current application
if (VirtualPathUtility.IsAppRelative (url) ||
!VirtualPathUtility.IsAbsolute (url))
url = VirtualPathUtility.Combine
(VirtualPathUtility.AppendTrailingSlash (HttpRuntime.AppDomainAppVirtualPath),
url);
AuthorizationSection config = (AuthorizationSection)
WebConfigurationManager.GetSection (
"system.web/authorization",
url);
if (config != null)
return config.IsValidUser (context.User, context.Request.HttpMethod);
}
return false;
What do you think?
Thanks & best regards,
Dumi.
----- Original Message -----
From: Konstantin Triger
To: Dumitru Ban ; [email protected]
Sent: Wednesday, May 30, 2007 9:11 AM
Subject: RE: [Mono-dev] SiteMapProvider patch
Hey Dumitru,
The problem is probably in case #1:
/* 1. */
IList roles = node.Roles;
if (roles != null && roles.Count > 0) {
foreach (string rolename in roles)
if (rolename == "*" || context.User.IsInRole (rolename))
return true;
return false;
}
Either the rolename is not parsed correctly or context.User.IsInRole
(rolename) works wrong. To check the later, you may run 'context.User.IsInRole
("Administrator")' within your user code and see the result.
Regards,
Konstantin Triger
------------------------------------------------------------------------------
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dumitru Ban
Sent: Tuesday, May 29, 2007 11:45 AM
To: [email protected]
Subject: [Mono-dev] SiteMapProvider patch
Hi,
I'm trying to create a patch for SiteMapProvider->IsAccessibleToUser method.
Let's say a web.sitemap file is present, having the following content:
<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0"; >
<siteMapNode url="home.aspx" title="Home">
<siteMapNode title="Test_no_url_no_roles"/>
<siteMapNode title="Test_no_url_roles" roles="Administrator"/>
</siteMapNode>
</siteMap>
With Microsoft .NET, the "Test_no_url_no_roles" node is not accessible to any
user and the "Test_no_url_roles" is accessible only to an Administrator.
In mono, both nodes are accessible to anyone. And this is because if the url
of the node is null or is the empty string, the method returns true.
On the method there is a [MonoTODO ("need to implement cases 2 and 3")]. But
number 2 is already started and the code
String url = node.Url;
if (String.IsNullOrEmpty(url))
return true;
is already there.
Shouldn't we have the same behaviour as Microsoft .NET?
Thanks & best regards,
Dumi.
__________ NOD32 2296 (20070529) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
_______________________________________________
Mono-devel-list mailing list
[email protected]
http://lists.ximian.com/mailman/listinfo/mono-devel-list
