16 Answers, 1 is accepted
0
Hello Jim,
You don't need to do anything. The menu will apply security trimming by default. Just decorate the action method with the AuthorizeAttribute.
Regards,
Atanas Korchev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
You don't need to do anything. The menu will apply security trimming by default. Just decorate the action method with the AuthorizeAttribute.
Regards,
Atanas Korchev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Jim
Top achievements
Rank 1
Rank 1
answered on 22 Apr 2010, 03:38 PM
The [Authorize] decoration works, but [Authorize(Roles="Administrator")] does not
0
Jim
Top achievements
Rank 1
Rank 1
answered on 24 Apr 2010, 08:55 PM
I have added some sub menu items to the item that has the [Authorize] attribute. The menu item cannot be expanded unless an authorized user is logged in, however the menu bar item "Admin" still shows in the menu. Is there a way to hide this item unles an authorized user is logged in?
0
Hello Jim,
I have created a test project, which describes how to use Authorize attribute in order to make difference between different roles. Please notice that the project uses the DefaultRoleProvider of the ASP.NET.
Sincerely yours,
Georgi Krustev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
I have created a test project, which describes how to use Authorize attribute in order to make difference between different roles. Please notice that the project uses the DefaultRoleProvider of the ASP.NET.
Sincerely yours,
Georgi Krustev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Jim
Top achievements
Rank 1
Rank 1
answered on 26 Apr 2010, 09:41 PM
Thank you for your response,
I am able to get the roles to work properly, but as I stated above, When an un-authorized user to the Admin actions is logged in, how do I hide the Admin menu item, or in the case of your example Index 3?
I am able to get the roles to work properly, but as I stated above, When an un-authorized user to the Admin actions is logged in, how do I hide the Admin menu item, or in the case of your example Index 3?
0
Hello Jim,
The behavior that you described is expected. Only items which are not accessible will not be rendered.
Nevertheless you can achieve your goal with the following code snippet:
In the ItemAction the code checks whether the item has an accessible items.
All the best,
Georgi Krustev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
The behavior that you described is expected. Only items which are not accessible will not be rendered.
Nevertheless you can achieve your goal with the following code snippet:
<% var navAuthorization = Telerik.Web.Mvc.Infrastructure.ServiceLocator.Current.Resolve<Telerik.Web.Mvc.Infrastructure.INavigationItemAuthorization>(); %>
<%= Html.Telerik().Menu() .Name("Menu") .Items(items => { items.Add().Text("Index").Action("Index", "Home"); items.Add().Text("Index2").Action("Index", "Home"); items.Add().Text("Index3") .Action("Index", "Home") .Items(childs => { childs.Add().Text("AuthorizedAdmin").Action("About", "Home"); childs.Add().Text("AuthorizedUser").Action("About2", "Home"); }); }) .ItemAction( item => { bool hasAccessible = true; foreach(var children in item.Items) { hasAccessible = false; if(children.IsAccessible(navAuthorization, ViewContext)) { hasAccessible = true; break; } } item.Visible = hasAccessible; })%>In the ItemAction the code checks whether the item has an accessible items.
All the best,
Georgi Krustev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Jim
Top achievements
Rank 1
Rank 1
answered on 29 Apr 2010, 12:19 AM
I was able to achieve the desired effect with the following code:
| <% MembershipUser currentUser = Membership.GetUser(); %> |
| <% Html.Telerik().Menu() |
| .Name("Menu") |
| .Items(menu => |
| { |
| if (Roles.IsUserInRole("Administrator")) |
| { |
| menu.Add() |
| .Text("Admin") |
| .Items(item => |
| { |
| item.Add().Text("Manage Members").Action("ManageMembers", "Admin"); |
| item.Add().Text("Manage Polls").Action("ManagePolls", "Admin"); |
| item.Add().Text("Create Poll").Action("CreatePoll", "Admin"); |
| }); |
| } |
| }) |
| .Render(); %> |
0
Carl
Top achievements
Rank 1
Rank 1
answered on 20 Apr 2011, 07:28 AM
Is the approach described by Jim still the only way to get role-based security-trimmed display of menu items?
Or have there been any improvements that make it more convenient?
Can the roles attribute in XmlSiteMaps be used in a manner similar to the way possible for web forms since ASP.NET 2.0?
Or have there been any improvements that make it more convenient?
Can the roles attribute in XmlSiteMaps be used in a manner similar to the way possible for web forms since ASP.NET 2.0?
0
nachid
Top achievements
Rank 1
Rank 1
answered on 20 Apr 2011, 09:49 AM
I am using another approch taking advantage of the visible property
menu.Add().Text("Admin")
.Visible(IsAdministrator)
You just have to define IsAdministrator as server side variable
menu.Add().Text("Admin")
.Visible(IsAdministrator)
You just have to define IsAdministrator as server side variable
0
Carl
Top achievements
Rank 1
Rank 1
answered on 20 Apr 2011, 06:04 PM
Thanks, but I was hoping that there was some corresponding syntax that could be used in the *.sitemap files since I have a number of existing *.sitemap files, and I like the principle of maintaining the sitemap structure in a separate file even if there is some additional overhead in managing those files... perhaps I should just abandon the notion of using *.sitemap files?
0
nachid
Top achievements
Rank 1
Rank 1
answered on 21 Apr 2011, 09:05 AM
I would say if you bind your menu to your sitemap file, it should work out of the box.
Never tried it however...did you?
Otherwise, have a look to this one : Building an ASP.NET MVC sitemap provider with security trimming
and this one : Using ASP.NET MVC dynamic SiteMap to simplify User/Role authentication
Never tried it however...did you?
Otherwise, have a look to this one : Building an ASP.NET MVC sitemap provider with security trimming
and this one : Using ASP.NET MVC dynamic SiteMap to simplify User/Role authentication
0
Rachael
Top achievements
Rank 1
Rank 1
answered on 22 Apr 2011, 04:44 PM
Thanks Jim. Your if (Roles.IsUserInRole("Administrator")) statement worked!
0
Chris
Top achievements
Rank 1
Rank 1
answered on 06 Sep 2011, 07:58 PM
This mostly works as expected. However I've run into an issue when a Get controller action is not decorated with Authorize but the Post action is. e.g. I've added an Authorize attribute so that only certain roles can update/post to the action in question. So even though my get action is open to all roles, the menu item will still not show for any other roles than the ones specified in the authorize attribute. Here is a non-functional example to illustrate.
I would expect that the menu item would still render give that the action link refers to the GET Index controller action and not the HttpPost decorated one. I'm using the latest MVC release on Nuget.org.
public ActionResult Index() {return View(); }[HttpPost, Authorize(Roles = "Admin")]public ActionResult Index(SomeViewModel model) { return View(); }// will not render for any role other than Adminmenu.Add().Text("TopLevel").Items(item => item.Add().Text("Sub Menu Item").Action("Index", "MyController"));I would expect that the menu item would still render give that the action link refers to the GET Index controller action and not the HttpPost decorated one. I'm using the latest MVC release on Nuget.org.
0
Hello Chris,
Georgi Krustev
the Telerik team
The aforementioned behavior is expected. The authorization does not make difference between different overloads of the Action methods. As a workaround I will suggest you create different Action methods for the GET and POST if you need to allow GET request to all users and restrict POST request.
Georgi Krustev
the Telerik team
Thank you for being the most amazing .NET community! Your unfailing support is what helps us charge forward! We'd appreciate your vote for Telerik in this year's DevProConnections Awards. We are competing in mind-blowing 20 categories and every vote counts! VOTE for Telerik NOW >>
0
Alan Mosley
Top achievements
Rank 1
Rank 1
answered on 28 Sep 2011, 02:30 AM
somting I noticed, if that the it is case sentitive, I had area = "admin", and the menu item still showed, i changed to Admin and it fixed the problem
0
Tim
Top achievements
Rank 1
Rank 1
answered on 14 Dec 2011, 02:07 AM
Sorry to wake an old thread, but this directly relates to the information provided in this thread.
It appears that while menu hiding of menu items pointing to actions with an AuthorizeAtribute seems to work fine, it appears that the menu hiding algorithm does not honor controller actions where the PrincipalPermissioAttribute is used instead as in [PrincipalPermission(SecurityAction.Demand, Role = "builtin\Administrators")]
I am developing an intranet site with windows authentication with the AspNetWindowsTokenRoleProvider role provider...
I would prefer to use the PrincipalPermission attribute as when the demanded roles are not met, an access denied error is returned whereas with the authorized attribute is used, the user is challenged for alternate credentials (not desired),
Is my experienced behavior correct, or am I missing something?
It appears that while menu hiding of menu items pointing to actions with an AuthorizeAtribute seems to work fine, it appears that the menu hiding algorithm does not honor controller actions where the PrincipalPermissioAttribute is used instead as in [PrincipalPermission(SecurityAction.Demand, Role = "builtin\Administrators")]
I am developing an intranet site with windows authentication with the AspNetWindowsTokenRoleProvider role provider...
I would prefer to use the PrincipalPermission attribute as when the demanded roles are not met, an access denied error is returned whereas with the authorized attribute is used, the user is challenged for alternate credentials (not desired),
Is my experienced behavior correct, or am I missing something?