When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sections:
Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
XML Info
Information:
Feedback
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback
Print this page.
Published: Wednesday, September 06, 2000

Logins and Permissions, Part 2

By Peter McMahon


  • Read Part 1

  • In Part 1 we looked at the basic security solution. In this part we'll examine generating a menu based upon the role of the logged in individual!

    - continued -

    The Menu
    The menu will be dynamically generated according to the permissions of the user who logged in which are stored in the session variable, . For example, if the user logs in as an administrator, options will be displayed allowing him to add or edit logins, for example. If they log in as a customer, they will have the option to place an order. The script uses an IF statement to check what permissions you have from the session variable and then display the appropriate menu items. Here's the code:

    <UL>
    <%
       If Session.Contents("status") = "Administrator" Then
    %>
       <LI><A HREF="admin/logins.asp">Administer Logins</A><BR>
       <LI><A HREF="admin/orders.asp">View Orders</A><BR>
    <%
       ElseIf Session.Contents("status") = "Customer" Then
    %>
       <LI><A HREF="customer/order.asp">Place an order</A><BR>
       <LI><A HREF="customer/viewbag.asp">View Shopping Bag</A><BR>
    <%
       End If
    %>
    </UL>
    

    I recommend storing all the files for a particular type of user in different directories to help with site management so you can immediately see who has rights to what files.

    More Advanced Menus
    Above I have hard coded the permissions into the ASP file to demonstrate the concept of dynamically generating the menus according to what class the user was that logged in. This is not very practical from a code reuse point of view and may also lead to frustration if lots of different classes of users are required. It is therefore much more sensible to put the menu items in a table in the database. To do so, create a new table and call it MenuItems. Give it the following columns: Status, URL, and Descriptoin. The below table snapshot shows how these columns represent various menu options for the various roles.

    MenuItems Table
    StatusURLDescription
    CustomerCustomer/search.aspSearch Our Database
    CustomerCustomer/order.aspPlace an order
    CustomerCustomer/viewbag.aspView Shopping Bag
    AdministratorAdmin/search.aspSearch Product Database

    Replace the current menu code with this code:

    <UL>
    <%
      Dim objConn, objRS
      Set objConn = Server.CreateObject(“ADODB.Connection”)
      objConn.Open "DSN=LoginTest;"
      Set objRS = objConn.Execute("SELECT * FROM MenuItems WHERE Status = ‘" & _
      Session.Contents("status") & "’")
      While Not objRS.EOF
    %>
      <LI><A HREF=”<%=objRS(“URL”)%>”><%=objRS(“Description”)%></A><BR>
    <%
        objRS.MoveNext
      Wend
      objRS.Close
      Set objRS = Nothing
      objConn.Close
      Set objConn = Nothing
    %>
    </UL>
    

    This code simply opens a database connection, puts all the menu items for the user class that you are currently logged in as into a recordset and displays them in a bulleted list. You could take this even further by doing away with user classes all together and assigning each user their own menu. Default items could be added when you add or remove a user depending on a “preset” option that you choose. You could then go in and change the user’s menu individually.

    In Part 3 we'll look at securing each page so that sneaky users can't slip by our login screen and get access to pages that they have no business seeing!

  • Read Part 3


  • ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article