Can one specify inside an aspx page (without code-behind) only to display a user control if the logged in user has administrator rights?
I assume that you're talking about an ascx control, since there isn't any real integration of aspx pages in DotNetNuke.
Ideally this kind of permission would be configured in the module's settings, rather than hardcoded in. However, if that's not possible for whatever reason, you can check if the user is an administrator via the following code, which you can put in a code block in your ascx control (why can't you use a code-behind?):
UserInfo.IsInRole(PortalSettings.AdministratorRoleName)
The easiest thing to do, but this will only work if only administrators have edit rights for the module, is to add the following to the user control tag:
Visible="<%# IsEditable %>"
Related
Hello 2sxc enthusiasts!
I developed a 2sxc application in a protected page. A group of users can read, add and modify the information in that 2sxc application. Since they can do some important actions but not administer the entire page, I gave the rights to "modify the module" (not certain it's the English terms...) to this group of users only for the 2sxc application developed. In my controller, the function attributes are:
[HttpPost]
[DnnModuleAuthorize (AccessLevel = SecurityAccessLevel.Edit)]
[ValidateAntiForgeryToken]
Everything works very well considering the code but giving the editing rights on the DNN module, it appears now the persona bar with this little pencil and no menus that ultimately is useless. This creates an overhead, slowing down the application without need.
I could set the rights to [DnnModuleAuthorize (AccessLevel = SecurityAccessLevel.Annonymous)] considering the presence of [ValidateAntiForgeryToken] and only base the security on the DNN page but is there a way to retain limited rights for the controller without having this persona bar?
Thanks for your advices!
As of 2sxc 9.30 there are new ways to set permissions, incl. at App-level. You could try to remove DNN edit permissions but set the app to editable. We haven't tried this scenario, but it could work.
We have the angularjs application where we have different roles associated to the users. For ex: the two roles are Admin and Local. Based on the role, we show some menu items for the Admin and adds more features/screen to the Admin .
The userInfo with the Admin Property is returned from the login response and based on what we decide which all menu and screens to be rendered .
But if we user the developer tool, and the set the break point where the admin property is used, and set the admin property as true the user even he is a local user would be able to access admin privileges .
In short who has some idea about the javascript code can get the admin privileges . Is there any idea other than minification of the code to prevent this kind of security threats
Thanks
As the front-end of your application will run on the client machine there is actually no way to stop a user from debugging or modifying the code. Thus it's impossible to prevent someone from tricking their local instance of the application to think it's signed in as an administrator.
If you simply want to hide the admin interface, one possibility is to have separate (or additional) templates for administrators and restrict access to these based on the user's privilege. If there is anything to be gained from this is up to you. You will still need to validate the rights to execute any privileged action on the server anyway. Obtaining administrative privileges on the client must never be the same as obtaining them on the server side.
In DotNetNuke, Administrator only can add new user. I want to allow other user with custom role as well to Add New User. Is it possible with DotNetNuke ?
It used to be possible, though I haven't tried this in quite a while.
Basically what you can try a couple of options.
1) You can assign PAGE permissions on the User Accounts page in DNN to users of a specific role. Then you will need to provide those users a LINK to the page, as they won't see the admin menu and won't have access to the link via the Admin menu.
2) You can actually (used to be able to) place the User account module on a page that other roles have access to, the problem is that the User Accounts and Security roles modules are "premium" meaning that you have to specifically (as a superuser) allow them for use in a portal before they can be placed on a page. You do this from the host/extensions page and click on the edit pencil next to the module, find the premium section then assign it to the specific portal. Then you will add the module(s) to a page, you'll find that more than just the User Account module gets added, so you will want to remove the extra ones by deleting them from the page.
Hopefully one of those two options will work for you.
I'm working on a 100% ExtJS application; the browser downloads all the JavaScript and a single HTML file once; everything runs in the browser after that.
When all the panels are rendered at startup (i.e., when Ext.onReady() fires) I need some panels to be hidden depending on the user's permissions. Is there a common/best practice for configuring the GUI at startup depending on user permissions?
I think one solution might be to have some panels hidden by default. An AJAX call could be made at startup to get user permissions, and then panels could be un-hidden depending on those permissions. However, I suspect there are better solutions.
Any tips would be greatly appreciated.
Note: I understand that the front-end javascript can't be trusted as the sole mechanism for security checks and that the backend application would need to verify all the actions received from the front-end.
Why not just write a server-side script that outputs privileged client-side code based on the user's authentication status? Instead of having your client-side code fetch permission data and branch on them, just have the client-side hit a script that outputs the appropriate javascript.
So if you've got a special "SuperAdminPanel" component, the only way the client ever sees the code is if they hit your authentication-aware user-js script, and are recognized as a super-admin.
In the general case, such a script could just echo out the appropriate script for the currently-authenticated user's level. It could easily be extended to pass code or configuration specific to individual users, as well.
I have an app which needs administrator privileges to do some things. I'd like to just show the UAC prompt when it starts, and then be elevated. I'm not sure how to do this, but I'm hearing about things like manifests and whatnot but not seeing a plain answer anywhere.
You need an app manifest that demands elevated privileges. Here's a quote from a blog that answers this:
First, you can create a manifest file by adding an “Application
Manifest File” Item to your project (default name: app.manifest), then
you can set it through the Application Tab in the Project Properties.
If you want to change the Windows User Account Control level in your
manifest file, all you need is to set the value of the level attribute
of the requestedExecutionLevel node with one of the following:
asInvoker (default): the application will run using the current Windows user provileges
requireAdministrator: the application requires an Administrator user
highestAvailable: highest privileges for the current user will be used
http://dariosantarelli.wordpress.com/2007/11/21/vs2008-embedding-uac-manifest-options/