[Mono-dev] SiteMapProvider patch

Dumitru Ban dban at dako.ro
Wed May 30 03:03:58 EDT 2007 

Hi,

Yesterday, when I post my questions, the #1 looked like this:

if (node.Roles != null)
    foreach (string rolename in node.Roles)
        if (rolename == "*" || context.User.IsInRole (rolename))
            return true;

It was not returning false if there were roles defined for the node and there was no match for the user.

Marek updated the code and now it looks like this:

IList roles = node.Roles;
if (roles != null && roles.Count > 0) {
    foreach (string rolename in roles)
        if (rolename == "*" || context.User.IsInRole (rolename))
            return true;
        return false;
}

But, in the MSDN, it says that the method should return true if:
The Roles exists on node and the current user is in at least one of the specified roles.
- or -
The current thread has an associated WindowsIdentity that has file access to the requested URL and the URL is located within the directory structure for the application.
- or -
The current user is authorized specifically for the requested URL in the authorization element for the current application and the URL is located within the directory structure for the application.

In my opinion #1 should not return false at all. It should go and check for #2 and/or #3. The update Marek made is working for the case where no url is defined for the node. But what happens if the node has an url, a role is defined for that node, the user is not in that role, but the user is specifically authorized for the requested url in the authorization element? It will return false, but it should return true...

I think the correct code should look something like this:

/* 1. */
IList roles = node.Roles;
if (roles != null && roles.Count > 0) {
    foreach (string rolename in roles)
        if (rolename == "*" || context.User.IsInRole (rolename))
            return true;
}

/* 2. */
/* XXX */

/* 3. */
string url = node.Url;
if(!String.IsNullOrEmpty(url)) {
    // TODO check url is located within the current application

    if (VirtualPathUtility.IsAppRelative (url) || !VirtualPathUtility.IsAbsolute (url))
        url = VirtualPathUtility.Combine (VirtualPathUtility.AppendTrailingSlash (HttpRuntime.AppDomainAppVirtualPath), url);

    AuthorizationSection config = (AuthorizationSection) WebConfigurationManager.GetSection (
        "system.web/authorization",
        url);
    if (config != null)
        return config.IsValidUser (context.User, context.Request.HttpMethod);
}

return false;

What do you think?

Thanks & best regards,
Dumi.

  ----- Original Message ----- 
  From: Konstantin Triger 
  To: Dumitru Ban ; mono-devel-list at lists.ximian.com 
  Sent: Wednesday, May 30, 2007 9:11 AM
  Subject: RE: [Mono-dev] SiteMapProvider patch


  Hey Dumitru,

   

  The problem is probably in case #1:

   

  /* 1. */

  IList roles = node.Roles;

  if (roles != null && roles.Count > 0) {

        foreach (string rolename in roles)

              if (rolename == "*" || context.User.IsInRole (rolename))

                    return true;

        return false;

  }

   

  Either the rolename is not parsed correctly or context.User.IsInRole (rolename) works wrong. To check the later, you may run 'context.User.IsInRole ("Administrator")' within your user code and see the result.

   

  Regards,

  Konstantin Triger


------------------------------------------------------------------------------

  From: mono-devel-list-bounces at lists.ximian.com [mailto:mono-devel-list-bounces at lists.ximian.com] On Behalf Of Dumitru Ban
  Sent: Tuesday, May 29, 2007 11:45 AM
  To: mono-devel-list at lists.ximian.com
  Subject: [Mono-dev] SiteMapProvider patch

   

  Hi,

   

  I'm trying to create a patch for SiteMapProvider->IsAccessibleToUser method.

   

  Let's say a web.sitemap file is present, having the following content:

  <?xml version="1.0" encoding="utf-8" ?>
  <siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
   <siteMapNode url="home.aspx" title="Home">
    <siteMapNode title="Test_no_url_no_roles"/>
    <siteMapNode title="Test_no_url_roles"  roles="Administrator"/>
    </siteMapNode>
  </siteMap>

   

  With Microsoft .NET, the "Test_no_url_no_roles" node is not accessible to any user and the "Test_no_url_roles" is accessible only to an Administrator.

  In mono, both nodes are accessible to anyone. And this is because if the url of the node is null or is the empty string, the method returns true.

   

  On the method there is a [MonoTODO ("need to implement cases 2 and 3")]. But number 2 is already started and the code

  String url = node.Url;

  if (String.IsNullOrEmpty(url))

      return true;

  is already there. 

  Shouldn't we have the same behaviour as Microsoft .NET?

   

  Thanks & best regards,

  Dumi.



  __________ NOD32 2296 (20070529) Information __________

  This message was checked by NOD32 antivirus system.
  http://www.eset.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20070530/37eb74d1/attachment.html

More information about the Mono-devel-list mailing list