Adding Roles to ASP.NET Accounts (Page 1 of 4 )
Last week we began our discussion of website personalization with Visual Basic 2005. This week, we continue that discussion with an explanation of how to add roles to ASP.NET accounts. This article is excerpted from chapter 12 of the book
Programming Visual Basic 2005, written by Jesse Liberty (O'Reilly, 2005; ISBN: 0596009496).
Add Roles to ASP.NET Accounts
Authentication is the process of identifying a user; authorization is the process of deciding which parts of your application that user can see and interact with. The forms-based security controls and database that comes with Visual Basic 2005 allows you to set authorization for specific users based on their being assigned to a role (such as guest, member, manager, etc). You do so in three steps: create the roles, assign permissions to each role, and then assign users to the roles. Any given user may be in more than one role (e.g., administrator and manager). The permissions you assign to each role may determine access to a page, or may change the content of a given page displayed to members of that role.
Create a New Application with Roles
To demonstrate how to create roles and assign users to those roles, you’ll need to create a new application, ASPSecurityRoles. Begin by copying over the web site you used in the previous exercise (FormBasedSecurity), as shown in Figure 12-21.
Figure 12-21. Copy web site
Set Welcome as the Start page and run the program to make sure you can still log in. Open the WAT and click on the Security tab. In the second column (Roles), you’ll see that roles are not enabled. Click on Enable Roles, as shown in Figure 12-22.
Figure 12-22. Enabling roles in WAT
Open Web.config and you’ll see that the WAT has updated it to add roles management:
<system.web>
<roleManager enabled="true" />
<authentication mode="Forms"/ >
<membership defaultProvider="AspNetSqlMembershipProvider"/>
<compilation debug="true"/>
</system.web>
Depending on how your machine is set up and which database you are using, you may or may not have thedefaultProviderentry in yourWeb.config.
Once roles have been created, use the WAT to create your first Role: Manager (it is helpful to have an initial role and a user in that role so that you can have in your code a test to ensure that only Managers, for example, can create new roles or add users to roles).
What you actually call that role—manager, adminstrator, tsar—is entirely up to you.
Under Add/Remove users, click the Manage link and navigate to one of your users (e.g., jliberty) and click the User Is In Role box to add that user to the role, as shown in Figure 12-23.
Using the LoginView’s smart tag, click on Edit Templates and edit the Logged In Template. Add three hyperlinks to the Logged In Template on the Welcome page, as shown in Figure 12-24. Set the NavigateURL to ChangePW.aspx, CreateAccount. aspx, and ManageRoles.aspx, respectively. Be sure to click on End Template Editing when you are done.
Create the ChangePW.aspx page and drag aChangePasswordcontrol onto the page. Use the smart tag to format theChangePassword control, as shown in Figure 12-25.
Set theContinueDestinationPageURLproperty to Login.aspx, and on Login.aspx make sure theContinueDestinationPageURLof the Login control is set to Welcome.aspx. You may also want to confirm or change the Success Text as well as the other text fields (ChangePasswordTitleText,ChangePasswordFailureText, etc.)
Figure 12-23. Adding users to roles in WAT
Figure 12-24. End Template Editing of Logged In Template
Figure 12-25. ChangePassword control
Create the ManageRoles.aspx page. This new page has a somewhat complex layout since it must display the list of roles and the list of users supported by your site, as well as which users have been assigned which roles. The page is shown in Figure 12-26, and the controls are listed in Table 12-1.
Figure 12-26. ManageRoles.aspx
Table 12-1. Controls in ManageRoles.aspx
Control name | Control type | Attributes |
linkHome | Hyperlink | Inner HTML: Home Page NavigateURL= "Welcome.aspx" |
Msg | Label | |
RolesListBox | ListBox | Autopostback=true |
UsersListBox | ListBox | Autopostback=true |
btnAddUsersToRole | Button | Add User(s) to Role OnClick="AddUsers_OnClick" |
btnCreateRole | Button | Create new Role |
| | OnClick="CreateRole_OnClick" |
pnlCreateRole | Panel | Visible="False" |
Label2 | Label | New Role: |
txtNewRole | TextBox | |
btnAddRole | Button | Text="Add" |
| | OnClick="btnAddRole_Click" |
UsersInRoleGrid | GridView | |
TheUsersInRoleGrid should look like Example 12-2.
Example 12-2. UserInRoleGrid source
<asp:GridView runat="server" CellPadding="4" id="UsersInRoleGrid"
AutoGenerateColumns="false" Gridlines="None"
CellSpacing="0"
OnRowCommand="UsersInRoleGrid_RemoveFromRole">
<HeaderStyle BackColor="navy" ForeColor="white" />
<Columns>
<asp:TemplateField HeaderText="User Name">
<ItemTemplate>
<%# Container.DataItem.ToString() %>
</ItemTemplate>
</asp:TemplateField>
<asp:ButtonField Text="Remove From Role" ButtonType="Link" />
</Columns>
</asp:GridView>
All of these controls should be laid out in a table, with the text inserted into columns as well. The finished page is shown in Example 12-3.
Example 12-3. Manage Role Page source
<%@ Page Language="VB" AutoEventWireup="false" CodeFile="ManageRoles.aspx.vb" Inherits="ManageRoles_aspx" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/ xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Manage Roles</title>
</head>
<body>
<form id="form1" runat="server">
<h3>Role Membership
<asp:HyperLink ID="linkHome" Runat="server" NavigateUrl="Welcome.aspx">
Home page
</asp:HyperLink>
</h3>
<asp:Label id="Msg" ForeColor="maroon" runat="server" /><BR>
<table CellPadding="3" border="0">
<tr>
<td valign="top">Roles:</td>
<td valign="top" style="width: 186px">
<asp:ListBox id="RolesListBox"
runat="server" Rows="8" AutoPostBack="True" />
</td>
<td valign="top">Users:</td>
<td valign="top">
<asp:ListBox id="UsersListBox" DataTextField="Username"
Rows="8" SelectionMode="Multiple" runat="server" />
</td>
<td valign="top" visible="false">
<table>
<tr>
<td>
<asp:Button Text="Add User(s) to Role" id="btnAddUsersToRole"
runat="server" OnClick="AddUsers_OnClick" />
</td>
</tr>
<tr>
<td>
<asp:Button Text="Create new Role" id="btnCreateRole"
runat="server" OnClick="CreateRole_OnClick"
Width="170px" Height="24px" />
</td>
</tr>
<tr>
<td>
<asp:Panel ID="pnlCreateRole" Runat="server" Width="259px"
Height="79px" Visible="False" BackColor="#E0E0E0">
<br />
<asp:Label ID="Label2" Runat="server" Text="New Role:"
Width="72px" Height="19px"/>
<asp:TextBox ID="txtNewRole" Runat="server"/> <br />
<br />
<asp:Button ID="btnAddRole" Runat="server"
Text="Add" OnClick="btnAddRole_Click"
Width="64px" Height="24px" /><br />
</asp:Panel>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top">Users In Role:</td>
<td valign="top" style="width: 186px">
<asp:GridView runat="server" CellPadding="4" id="UsersInRoleGrid"
AutoGenerateColumns="false" Gridlines="None"
CellSpacing="0"
OnRowCommand= "UsersInRoleGrid_RemoveFromRole">
<HeaderStyle BackColor="navy" ForeColor="white" />
<Columns>
<asp:TemplateField HeaderText="User Name">
<ItemTemplate>
<%# Container.DataItem.ToString() %>
</ItemTemplate>
</asp:TemplateField>
<asp:ButtonField Text="Remove From Role" ButtonType="Link"
/>
</Columns>
</asp:GridView>
</td>
</tr>
</table>
</form>
</body>
</html>
This page is not designed to be pretty, just useful. It is based on a demonstration .aspx page provided by Microsoft.
The code-behind page must implement five event handlers:
- Page_Load
- AddUsers_OnClick(adding users to roles)
- UsersInRoleGrid_RemoveFromRole(removing users from roles)
- CreateRole_OnClick(opening panel to create a new role)
- btnAddRole_Click(adding new role)
Your class will declare three member variables:
- A string array namedrolesArray
- A string array namedusersInRole
- An instance ofMembershipUserCollectionnamedusers
TheMembershipUserCollection is defined by the Framework to holdMembershipUserobjects (surprise!). AMembershipUserobject, in turn, is defined by the Framework to represent a single user in the membership data store (in this case, the tables created in SqlServerExpress). This class exposes information about the user such as the user’s email address, and methods such as those needed to change or reset the user’s password.
Here’s how the code works. The first step is to override thePage_Loadevent handler, as shown in Example 12-4.
Example 12-4. Page_Load
Protected Sub Page_Load(_
ByVal sender As Object, _
ByVal e As System.EventArgs) Handles Me.Load
If User.IsInRole("Manager") = False Then
Response.Redirect("NoPrivs.aspx")
End If
Msg.Text = String.Empty
If Not IsPostBack Then
rolesArray = Roles.GetAllRoles()
RolesListBox.DataSource = rolesArray
RolesListBox.DataBind()
users = Membership.GetAllUsers()
UsersListBox.DataSource = users
UsersListBox.DataBind()
End If
If (RolesListBox.SelectedItem IsNot Nothing) Then
usersInRole = Roles.GetUsersInRole(RolesListBox.SelectedItem.Value)
UsersInRoleGrid.DataSource = usersInRole
UsersInRoleGrid.DataBind()
End If
End Sub
First check that the current user is a manager. If he is, a redirect to an error page:
If User.IsInRole("Manager") = False Then
Response.Redirect("NoPrivs.aspx")
End If
If this is the first time you are displaying the page, get the rolls and bind them to the list box, then get all the users and bind that collection to the Users List Box:
If Not IsPostBack Then
rolesArray = Roles.GetAllRoles()
RolesListBox.DataSource = rolesArray
RolesListBox.DataBind()
users = Membership.GetAllUsers()
UsersListBox.DataSource = users
UsersListBox.DataBind()
End If
If there is a selected item in the Roles List Box, get the list of users who are in that role and bind the list to the users in Roll Grid:
If (RolesListBox.SelectedItem IsNot Nothing) Then
usersInRole = Roles.GetUsersInRole(RolesListBox.SelectedItem.Value)
UsersInRoleGrid.DataSource = usersInRole
UsersInRoleGrid.DataBind()
End If
Step 2 is to implement theAddUsers_OnClickevent handler, as shown in Example 12-5.
Example 12-5. AddUsers_OnClick handler
Protected Sub AddUsers_OnClick( _
ByVal sender As Object, _
ByVal e As System.EventArgs) Handles btnAddUsersToRole.Click
' A role must be selected
If RolesListBox.SelectedItem Is Nothing Then
Msg.Text = "Please select a role."
Exit Sub
End If
' At least one user must be selected
If UsersListBox.SelectedItem Is Nothing Then
Msg.Text = "Please select one or more users."
Exit Sub
End If
' Create list of users to be added to the selected role
Dim sizeOfArray As Integer = UsersListBox.GetSelectedIndices.Length
Dim newUsers(sizeOfArray - 1) As String
'For i As Integer = 0 To newusers.Length - 1
' newusers(i) = _
' UsersListBox.Items( _
' UsersListBox.GetSelectedIndices()(i)).Value
'Next
For i As Integer = 0 To newUsers.Length - 1
' get the array of selected indices from the (multiselect) list box
Dim selectedIndices As Integer() = UsersListBox.GetSelectedIndices()
' get the selectedIndex that corresponds to the counter (i)
Dim selectedIndex As Integer = selectedIndices(i)
' get the ListItem in the UserListBox Items collection at that offset
Dim myListItem As ListItem = UsersListBox.Items(selectedIndex)
' get the string that is that ListItem's value property
Dim newUser As String = myListItem.Value
' add that string to the newUsers collection of string
newUsers(i) = newUser
Next
' Add users to the selected role
Roles.AddUsersToRole(newUsers, RolesListBox.SelectedItem.Value)
usersInRole = Roles.GetUsersInRole(RolesListBox.SelectedItem.Value)
UsersInRoleGrid.DataSource = usersInRole
UsersInRoleGrid.DataBind()
End Sub
First, check to make sure that a role has been selected:
If RolesListBox.SelectedItem Is Nothing Then
Msg.Text = "Please select a role."
Exit Sub
End If
At least one user should be selected:
If UsersListBox.SelectedItem Is Nothing Then
Msg.Text = "Please select one or more users."
Exit Sub
End If
Create an array to hold the users to be added:
Dim sizeOfArray As Integer = UsersListBox.GetSelectedIndices.Length
Dim newusers(sizeOfArray - 1) As String
Iterate through the users, retrieving each selected user’s name:
For i As Integer = 0 To newusers.Length - 1
newusers(i) = _
UsersListBox.Items( _
UsersListBox.GetSelectedIndices()(i)).Value
Next
This statement is pretty complicated. The best way to understand it is to rewrite it using interim variables, like this:
For i As Integer = 0 To newUsers.Length - 1
' get the array of selected indices from the (multiselect) list box
Dim selectedIndices As Integer() = UsersListBox.GetSelectedIndices()
' get the particular selectedIndex that corresponds to the counter (i)
Dim selectedIndex As Integer = selectedIndices(i)
' get the ListItem in the UserListBox Items collection at that offset
Dim myListItem As ListItem = UsersListBox.Items(selectedIndex)
' get the string that is that ListItem's value property
Dim newUser As String = myListItem.Value
' add that string to the newUsers collection of string
newUsers(i) = newUser
Next
The advantage of the interim variables is that you can set break points on them and see what their value is, and you can more easily document the code. The disadvantage is minimal, but many programmers (especially those from the “C” culture!) still prefer the terser version.
Next, call the staticAddUsersToRole on theRolesclass, passing in the array of user-names, and the role you want these users added to. Rebind the users who are in that role to theUsersInRoleGrid:
Roles.AddUsersToRole(newUsers, RolesListBox.SelectedItem.Value)
usersInRole = Roles.GetUsersInRole(RolesListBox.SelectedItem.Value)
UsersInRoleGrid.DataSource = usersInRole
UsersInRoleGrid.DataBind()
As noted earlier, step 3 is to implementUsersInRoleGrid_RemoveFromRoleas shown in Example 12-6.
Example 12-6. UsersInRoleGrid_RemoveFromRole
Protected Sub UsersInRoleGrid_RemoveFromRole( _
ByVal sender As Object, _
ByVal e As System.Web.UI.WebControls. GridViewCommandEventArgs) _
Handles UsersInRoleGrid.RowCommand
' get the user to remove
Dim index As Integer = Convert.ToInt32(e.CommandArgument)
Dim username As String = _
CType(UsersInRoleGrid.Rows(index).Cells(0).Controls(0), _
DataBoundLiteralControl).Text
' remove the user
Roles.RemoveUserFromRole(username, RolesListBox.SelectedItem.Value)
' Rebind the users in role to Gridview
usersInRole = Roles.GetUsersInRole(RolesListBox.SelectedItem.Value)
UsersInRoleGrid.DataSource = usersInRole
UsersInRoleGrid.DataBind()
End Sub
Step 4 is to add the CreateRole_OnClickevent handler, which makes the CreateRole panel visible, as shown in Example 12-7.
Example 12-7. CreateRole button Click event handler
Protected Sub CreateRole_OnClick( _
ByVal sender As Object, _
ByVal e As System.EventArgs) Handles btnCreateRole.Click
pnlCreateRole.Visible = True
End Sub
The purpose of this is to present the panel, which contains a text box for the user to enter a new role and an Add button, as shown in Figure 12-27.
Figure 12-27. Create new role
Finally, implement thebtnAddRole_Clickevent handler, shown in Example 12-8.
Example 12-8. AddRole button Click event handler
Protected Sub btnAddRole_Click( _
ByVal sender As Object, _
ByVal e As System.EventArgs) Handles btnAddRole.Click
If txtNewRole.Text.Length > 0 Then
Dim newRole As String = txtNewRole.Text
' if the role does not already exist, add it
' rebind the roles list box
If Roles.RoleExists(newRole) = False Then
Roles.CreateRole(newRole)
rolesArray = Roles.GetAllRoles()
RolesListBox.DataSource = rolesArray
RolesListBox.DataBind()
End If
End If
txtNewRole.Text = String.Empty
pnlCreateRole.Visible = False
End Sub
Check to make sure there is text in the NewRole text box, and then check to make sure the role does not exist. If it does not, create the new role using the Shared CreateRole method of the Roles class, provided by the Framework.
You do not need an instance ofRolesto callCreateRole becauseCreateRole is Shared.
Get all the roles by calling the Shared methodGetAllRolesand store the roles in the member arrayrolesArray, to which you bind the list box. When the role is added, the text box is cleared and the panel is made invisible.
Run the application and click on Manage Roles to add a couple of roles. Next, click on a role (to highlight it) and highlight one or more users; then click Add User(s) to Role. The results are shown in Figure 12-28.
Figure 12-28. Adding users to roles
Add each user to one or more roles.
Next: Restricting Access to Pages Based on Roles >>
More Visual Basic.NET Articles
More By O'Reilly Media
|
 This article is excerpted from chapter 12 of the book Programming Visual Basic 2005, written by Jesse Liberty (O'Reilly, 2005; ISBN: 0596009496). Check it out today at your favorite bookstore. Buy this book now.
|
|
