Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory:
<authorization>
<allow roles="Global, Region" />
<deny users="*" />
</authorization>
I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this:
<authorization>
<allow roles="GlobalManager, RegionManager, SiteManager && FooSite" />
<deny users="*" />
</authorization>
Any ideas? I realize I probably should have a new role for this scenario, but I'd like to avoid that. Thanks!
I don't think you can do this via the current configs allowed in web.config. What you could do though is something like the following... as the very first line in your Page_Load
event for the page in question, use the following code (VB):
If Not (User.IsInRole("Role1") AndAlso User.IsInRole("Role2")) Then _
FormsAuthentication.RedirectToLoginPage()
This line of course is assuming you are using FormsAuthentication. If not, you would need to replace FormsAuthentication.RedirectToLoginPage()
with the appropriate code depending on your authentication method.
I don't know your situation exactly, but based on your code, it looks like you could go one step further, and add a table with a mapping of users to sites, and do something like the following:
In a public module, add the following code:
<System.Runtime.CompilerServices.Extension()> _
Public Function ManagesSite(target As System.Security.Principal.IPrincipal, siteName As String) As Boolean
Return [ code here to look up whether this user can access the site specified ]
End Function
Then you can write the previous code as something more logical, such as:
If Not (User.IsInRole("SiteManager") AndAlso User.ManagesSite(Request.Url.Host)) Then _
FormsAuthentication.RedirectToLoginPage()
The method I usually use to solve this is when setting the user roles, create virtual roles. Therefore if the you wanted to only allow Student Administrators access to a page were a user has both Student and Administrator roles you could add a new StudentAdministrator role.