I have several pages or views in my application that are essentially the same for authenticated users as well as for anonymous users. I would like to limit the insert / update / delete actions in formviews and gridviews only to authenticated users and allow read access for both users and anonymous users.
I am using asp.net configuration system to handle authentication and roles. This system restricts path-based access, so I duplicate pages for standalone and anonymous paths.
The solution that immediately comes to mind is to check the roles in the respective event handlers, limiting which possible actions are displayed (insert / update / delete buttons), and also to limit what actions are performed (for users who can know how to perform the action in the absence of a button.) However, this solution does not eliminate duplication - I would duplicate the security code on several pages, rather than duplicate pages and restrict access based on the path; the latter would be much less complicated.
I could always create some controls that offer role-based customization, but I don’t think I have time for this kind of commitment right now.
Is there a relatively easy way to do this (are there such controls?) Or should I just stick with path-based access and duplicate pages?
Does it make sense to use two authorization methods? There are some more pages that are strictly intended for any role, so I will still use path-based authorization.
Finally, using something other than path-based authorization would run counter to typical asp.net design practices, at least in the context of using the asp.net configuration system?
source
share