sql - ASP.net Limit user functions based on custom table roles and permissions, not ASP Memberships -


i have asp.net website, ms sql server on backend.

for simplicity, describe problem 3 4 tables though in reality more that.

tables:

tblsystems
• systemid (pk)
• systemdescription
• other columns

tblsystems_projects (many projects can associated each system)
• various fields users can see/modify/delete, based on permissions.

users (as generated asp.net, user/membership/roles etc...)
• userid
• other columns

tblsystems_permissions_link (this links 2 tables)
• systemid
• userid
• allowedit
• allowview • allowdelete
• allowinsert

i set stored procedure each of insert/update/delete functions in database tblsystems_projects.

when user goes change/add/delete record in tblsystems_projects, send parameter of @userid (from logged in user) sp.

for update check see in tblsystems_permissions_link have allowedit set true, given system in tblsystems. way tables linked, if don't have edit permissions, there won't row updated (becuase clause returns 0 rows), in execution of sp. fine.

same goes delete.

but insert, there no clauses available inserting records tblsystems_projects.

  1. how can prevent userid not have insert priveledges particular system inserting tblsystems_projects table?
  2. when logged in userid tries click on insert, can redirect them "you not have epermission" page?
  3. can hide insert command based on logged in userid? when that? on page load? suggestions on methodology that? simple sp returns scalar of insert value?

i looked @ roles/memberships etc... doesn't quite work, many different people have different permissions based on system. in 1 system, 1 person admin, , ini system, viewer only.

what trying accomplish have users have access records, granting them permission allowed do. permissions vary based on systemid.

there lot of way it. here approach role based authorization -

i'll restrict authorization based on user's roles. example, if system in addrole , user in addrole, user can create new record.

page's authorization logic should not in store procedure alone. instead, should started in presentation layer (such controller).

if need addition logic checking, can place business logic layer.

enter image description here

tblsystems_permissions_link (this links 2 tables) • systemid • userid • allowedit • allowview  • allowdelete • allowinsert

you should not create tblsystems_permissions_link table individual column. it not database design, unless can 100% ensure there won't new authorization type in future.


Comments

Post a Comment

Popular posts from this blog

Android layout hidden on keyboard show -

i have strange problem layout. when tap on edittext , keyboard shown edittext stay on bottom , when tap on to hide keyboard , keyboard hides , edittext go should when want input text. when tap again, keyboard shown , edittext goes down behind keyboard... <relativelayout android:layout_width="match_parent" android:layout_height="match_parent" > <scrollview android:layout_width="match_parent" android:layout_height="fill_parent" android:above="@+id/rl_commands"> <textview android:layout_width="match_parent" android:layout_height="wrap_content"/> </scrollview> <relativelayout android:layout_width="match_parent android:layout_height="24dp" android:id="@+id/rl_commands" android:alignparentbottom="true">
Read more

google app engine - 403 Forbidden POST - Flask WTForms -

i have flask application running on google app engine. trying submit form built using wtform , keep getting following error. 403 forbidden: don't have permission access requested resource. either read-protected or not readable server. location.html (part of code) <form method=post action="/home/location"> .... <button type="submit" class="btn btn-primary" value="submit"> directions </button> </form> main.py @app.route('/home/location', methods=['post', 'get']) def location(): form = cfcdirections.direction(request.form) print(request.method) if request.method == 'post' , form.validate(): print("after if") directions = cfcdirections() street_no = directions.no street = directions.street suburb = directions.suburb postcode = directions.postcode
Read more

c - Why would PK11_GenerateRandom() return an error -8023? -

i looking through internet trying find source of pk11_generaterandom() function see why function fail. have program uses function when moved new flavor of linux, fails after forking ( fork() ) since not believe there problem nss, suspect doing incorrectly disregarded in older versions of linux new 1 there issue. the openssl package same on 'good' , 'bad' server: openssl 0.9.8e-fips-rhel5 01 jul nss rpm differs though. 'good' has nss-3.12.2.0-2.el5 and bas has version nss-3.15.3-4.el5_10 the 'good' server uses quite obsolete linux: linux 2.6.18-128.el5 #1 smp wed jan 21 08:45:05 est 2009 x86_64 x86_64 x86_64 gnu/linux enterprise linux enterprise linux server release 5.3 (carthage) red hat enterprise linux server release 5.3 (tikanga) the 'bad' server newer: linux bad 2.6.18-371.4.1.el5 #1 smp wed jan 29 11:05:49 pst 2014 x86_64 x86_64 x86_64 gnu/linux oracle linux server release 5.10 red hat enterprise linux server release
Read more