Beginning ASP.NET 2

Roles and Profiles

You can continue to explore each of the user accounts and roles to see who is a member of each group, so you can discover (among other things) that

ChrisH, ChrisU, Dave, and John are reporters.

Dave is a member of all groups, hence he’s the “super user” (who can access all areas of the site — great for testing!).

Lou is only a member of the Fan Club; hence she is the only true fan of the team.

Dan’s the team’s manager and Jim’s the owner.

After digging through the site configuration, in the Access Rules section, you’ll also recall that the Admin section of the site was restricted so that only site administrators could enter that part of the site. Additionally, the Fan Club was restricted so that only members could see the fan club–specific links available in the fan club section.

In the next example, you’ll get to use this configuration and try it out for yourself. The Fan Club for Wrox United is a good place to start.

In the following Try It Out, you build the skeleton for the Fan Club page and see how different users will see a different version of the page, depending on whether they are logged in, and, if the user has logged in, the current user’s identity.

1.Open up the chapter version (in C:\BegASPNET2\Chapters\Begin\Chapter11\WroxUnited folder) of the Wrox United application and run the site by pressing Ctrl+F5.

2.Log in to the site as Lou; use the password lou@123. There is a link to the Fan Club (FanClub.aspx) in the menu on the left (shown in Figure 11-5), and to the two sub-pages,

FanClubMatchReport.aspx and FanClubPictures.aspx.

At the moment, the pages are looking a bit empty, so it’s time to start adding some code.

3.Open up FanClub.aspx in Visual Web Developer and switch to Design View.

4.Drag a LoginView control onto the page, as shown in Figure 11-6.

5.Rename the control FCLoginView.

6.You’re going to create three different views on this page:

AnonymousTemplate: Anonymous visitors will be asked to purchase a Fan Club membership before they can access the fan club pages.

389

Chapter 11

Figure 11-5

Administrator/Manager/Owner/Reporter: All logged-in users who are not members of the Fan Club will be told to contact the administrator of the site to gain access to the fan club.

FanClubMembers: Members of the Fan Club will be able to change their passwords and to update their profiles (you add this part later in the chapter).

7.In the Common Tasks box of the LoginView control (the flyout highlighted in Figure 11-6), click the Edit RoleGroups link. In the dialog that appears (shown in Figure 11-7), you can enter the details for the two custom role groups. Click the Add button to add a new group, then click the ellipsis next to the Roles property on the right and enter FanClubMember in the dialog that appears.

8.Repeat the process and enter Administrator, Owner, Manager, and Reporter, each on separate lines in the pop-up, as depicted in Figure 11-8.

390

Roles and Profiles

Figure 11-6

Click OK to close the dialogs and you’ll be returned to the Design View for the page.

Figure 11-7

391

Chapter 11

Figure 11-8

9.Back in the Common Tasks box of the LoginView control (refer to Figure 11-6), select the AnonymousTemplate from the View drop-down and enter just a few words of text in the body of the control (see Figure 11-9).

When you flick back to Source View you will now see the following code:

<%@ Page Language=”VB” MasterPageFile=”~/site.master” AutoEventWireup=”false” CodeFile=”FanClub.aspx.vb” Inherits=”FanClub” Title=”Fan Club” %> <asp:Content ID=”Content1” ContentPlaceHolderID=”mainContent” Runat=”Server”>

<asp:LoginView ID=”FCLoginView” runat=”server”> <RoleGroups>

<asp:RoleGroup Roles=”FanClubMember”> </asp:RoleGroup>

<asp:RoleGroup Roles=”Administrator,Owner,Manager,Reporter”> </asp:RoleGroup>

</RoleGroups>

<AnonymousTemplate>

This is the anonymous template </AnonymousTemplate>

</asp:LoginView>

</asp:Content>

10.Stay in Source View and enter the following lines of code — this will make sure you have some visible content displayed no matter who views the site:

<asp:LoginView ID=”FCLoginView” runat=”server”> <RoleGroups>

<asp:RoleGroup Roles=”FanClubMember”> <ContentTemplate>

<p>

Welcome back

<asp:LoginName ID=”FCLoginName” runat=”server” />

.</p>

<p>

There are always lots of exciting things happening with the fan club,

most of which you already know from the email we regularly send out. One that hasn’t made it to the email yet is the proposed end of season BBQ – a great excuse for a summer party (not that we really need an excuse). This will be open to all members of the public and tickets will be heavily discounted for fan club members as a thank you for all of the great support you’ve given the club. The date hasn’t yet been set, but keep your eyes on your inbox for more details.

392

Roles and Profiles

</p>

</ContentTemplate>

</asp:RoleGroup>

<asp:RoleGroup Roles=”Administrator,Owner,Manager,Reporter”> <ContentTemplate>

To see the Fan Club features you need to be a member. As special users you get free entry to the fan club – talk to the admin people to get set up.

</ContentTemplate>

</asp:RoleGroup>

</RoleGroups>

<AnonymousTemplate>

<p>

The fan club provides a way for you to show your devotion to the club, and gains you exclusive privileges. You get discounts on match tickets and at the club store, as well as having the opportunity to meet up with like-minded fans.

</p>

<p>

Membership to the Fan Club can be bought from

the <a href=”Shop.aspx”> Club Shop</a>. Once membership has been received we’ll enable your account as a Fan Club Member.

</p>

</AnonymousTemplate>

</asp:LoginView>

Figure 11-9

393

Chapter 11

11.Time to run the page and see how this works! Launch the site from VWD and, before you log in, go to the Fan Club page as an anonymous user. You should see the screen shown in Figure 11-10.

12.Log in to the site as ChrisH, using the password chrish@123. You will now see the screen in Figure 11-11.

13.Finally, log out, and then log back in as Lou, using password lou@123. You’ll be presented with the welcome screen shown in Figure 11-12.

How It Works

The LoginView control, which you first met in Chapter 4, is a great way of displaying content that is directly related to the user who is currently viewing a page. In this example, you’ve added code so that three possible views are available of the Fan Club home page.

Figure 11-10

394

Roles and Profiles

Figure 11-11

If the user is anonymous, the anonymous template is used:

<AnonymousTemplate>

<p>

The fan club provides a way for you to show your devotion to the club, and gains you exclusive privileges. You get discounts on match tickets and at the club store, as well as having the opportunity to meet up with like minded fans.

</p>

<p>

Membership to the Fan Club can be bought from

the <a href=”Shop.aspx”>Club Shop</a>. Once membership has been received we’ll enable your account as a Fan Club Member.

</p>

</AnonymousTemplate>

395

Chapter 11

Figure 11-12

If the user has logged in, it’s fairly safe to assume that he is a member of a group, and hence he will see a different page depending on which roles he belongs to:

<RoleGroups>

<asp:RoleGroup Roles=”FanClubMember”> <ContentTemplate>

<p>

Welcome back

<asp:LoginName ID=”FCLoginName” runat=”server” />

.</p>

<p>

There are always lots of exciting things happening with the fan club, most of which you already know from the email we regularly send out. One that hasn’t made it to the email yet is the proposed end of season BBQ – a great excuse for a summer party (not that we really need an excuse). This will be open to all members of the public and tickets will be heavily discounted for fan club members as a thank you for all of the great support you’ve given the club. The date hasn’t yet been set, but keep your eyes on your inbox for more details.

</p>

</ContentTemplate>

</asp:RoleGroup>

396

Roles and Profiles

Fan Club members will see a custom page with some text. There’s not a lot on here yet, but that will change later in this chapter when you learn about user profiles. These profiles can be used to store additional information about a user, so the fan club page will become a central place for site members to come so that they can modify their profiles.

If the user is a member of one of the other roles (Administrator, Owner, Manager, or Reporter), the user will see a different display:

<asp:RoleGroup Roles=”Administrator,Owner,Manager,Reporter”> <ContentTemplate>

To see the Fan Club features you need to be a member. As special users you get free entry to the fan club – talk to the admin people to get set up.

</ContentTemplate>

</asp:RoleGroup>

</RoleGroups>

If you wanted to extend this part of the site, perhaps you could include a button or a link that would fire an e-mail to the site administrator, indicating your interest in joining the fan club.

This example demonstrates how simple and easy it is to change the appearance of a page, depending on who is logged in to the site. There are some drawbacks to this technique, however, which you’ll see when you look at extending the display for fan club members to show and edit their profile details.

So, you can change the display of a site by user roles. The next step is to lock down parts of the site by role, and work with role-level access to the site.

Configuring Page-Level Authorization

Managing general application access via the Web Site Administration Tool (see Figure 11-13) controls access to folders. Previously (back in Chapter 4), you learned how to restrict access to the pages contained within the Admin folder to deny all unapproved users access to those pages.

This general level of restriction is fine for hiding the contents of a directory, but configuring who can access each page is controlled in the Web.config file for each folder.

In the Admin folder in the code for the full Wrox United application, you will find a Web.config file. The following statements appear in this file:

<system.web>

<authorization> <deny users=”*” />

</authorization>

</system.web>

<location path=”Admin.aspx”> <system.web>

<authorization>

397

Chapter 11

<allow roles=”Reporter,Administrator,Owner,Manager” /> </authorization>

</system.web>

</location>

The first part of this extract reflects the setting applied in the site administration tool, denying all users access:

<deny users=”*” />

The second part of the extract applies access permissions to a specific page — the Admin.aspx page, in this case. The users who are allowed to view the Admin.aspx page include anyone who is a member of any of the Reporter, Administrator, Owner, or Manager roles:

<allow roles=”Reporter,Administrator,Owner,Manager” />

And so the pattern continues for the remainder of the configuration file, where access to each page is controlled by the configuration file, enabling access permissions to be set for each role against each page in the hierarchy.

Figure 11-13

398