Feature Access By Role

Topics: ASP.NET 2.0, Controls
Oct 7, 2010 at 6:33 PM

All,

I'm having some issues limiting the access to certain admin functions by Role.  I've googled and read everything that I can on the topic and here's what I've come up with.

It looks like access control is contained in two files, Web.sitemap and admin\Web.config.  I've made changes to both of these files to no avail.

I'm running BlogEngine.NET with AD Authentication and a DB Backend (MS-SQL 2005).  The handles the management of roles.

Here's my current Web.sitemap

 

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
  <siteMapNode url="default.aspx" title="Blog Engine"  description="" roles="administrators, editors">
    <siteMapNode url="~/admin/Pages/Add_entry.aspx" title="add_entry"  description=""  roles="administrators, editors"/>
    <siteMapNode url="~/admin/Pages/Blogroll.aspx" title="blogroll"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Pages/Controls.aspx" title="controls"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Pages/Categories.aspx" title="categories"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Pages/Pages.aspx" title="pages"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Pages/PingServices.aspx" title="PingServices"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Pages/referrers.aspx" title="referrers"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Pages/Settings.aspx" title="settings"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Pages/Profiles.aspx" title="profiles"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Pages/Users.aspx" title="users"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Comments/Default.aspx" title="comments"  description=""  roles="administrators"/>
    <siteMapNode url="~/admin/Extension Manager/default.aspx" title="Extensions"  description=""  roles="administrators"/>
  </siteMapNode>
</siteMap>

 

And my the Web.config file from the admin directory

 

 
<?xml version="1.0"?>
<configuration>
 <location path="Blogroll.aspx">
  <system.web>
   <authorization>
    <allow roles="administrators"/>	
    <deny users="*" />
   </authorization>
  </system.web>
 </location>
 <system.web>
  <pages enableSessionState="true" />
   <authorization>
    <deny users="?" />
    </authorization>
 </system.web>
</configuration>

With these two files in place, a user within the editor role can still see the Blogroll link in the Administration widget and the Blogroll tab.  They can also access the Blogroll.aspx page.

Any help would be greatly appreciated!