WebParts and Authorization


By default, all users can browse pages with WebParts, but to customize a page, the user must be authenticated. Changing the DisplayMode of the WebPartManager, therefore, is only possible when the user is logged in; an error otherwise occurs. You can protect against this in several ways, including using User.Identity.IsAuthenticated before changing the DisplayMode.

Authorization for WebPart customization is done in the same way as other authorization, by modifying web.config. For example, consider Listing 13.5, which shows the webParts section, with subsections for personalization and authorization. The authorization section has the standard allow and deny elements allowing selection of users and roles to determine the authorization in place. When specifying users or roles you also need to specify the verbs, which can be one of, or both of, enterSharedScope or modifyState. You set enterSharedScope to indicate if a user or role can enter shared scopethat is, if personalization is shared between users, and modifyState if a user or role can modify personalization. In Listing 13.5, only users in the Admin roles are allowed to modify the personalization state of the page, and all other users are denied this right.

Listing 13.5. Configuring WebPart Authorization

<webParts>   <personalization>     <authorization>       <allow roles="Admin" verbs="modifyState" />       <deny users="*" verbs="modifyState" />     </authorization>   </personalization> </webParts>

This can be used in conjunction with the Authorization Filter and custom code to indicate whether a certain WebPart is valid for the current user. This is discussed more in the Authorization Filter section later in the chapter.



ASP. NET 2.0 Illustrated
ASP.NET 2.0 Illustrated
ISBN: 0321418344
EAN: 2147483647
Year: 2006
Pages: 147

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net