开发者

Grant access to special forms only to admins

I have created a small app with login and MS Access DB. In table "Users" i have field "IsHeAdmin". If yes checked, else not checked(yes/no field).

Now, some forms in application are ment to be shown only to administrators (those with checked yes/no field).

What is开发者_高级运维 the best way to check if user is administrator or not?

EDiT:

Is there some way to check this by SQL command? For example like:SELECT * FROM Users WHERE Username=current_logged_username AND IsHeAdmin = 'Yes' . If yes grat access, else msgbox "access denied".


I recommend to use built-in feature at IPrincipal.IsInRole(role).

A sample simple implementation:

class User : IPrincipal
{
    private readonly bool IsAdmin;
    // or better
    private readonly string[] roles; // or HashSet<string> to speed up lookup

    public User(string name)
    {
        // fetch and fill from db
    }

    bool IPrincipal.IsInRole(string role)
    {
        return role == "admin" && this.IsAdmin;
        // or better
        return this.roles.Contains(role);
    }
}

Usage:

var user = new User("Joe");
if (user.IsInRole("admin"))
    // do stuff
else
    throw new SEcurityException("Insufficient rights");

Also you can hard-code role matrix:

[AccessAttribute(Roles.Administrator)]
class AdminForm : BaseForm { }

abstract class BaseForm
{
    protected override void OnLoad(EventArgs e)
    {
        CheckAccess(); //check current user against attribute of form

        base.OnLoad(e);
    }
}

enum Roles
{
   Administrator,
   User
}

class AccessAttribute : Attribute { }

class User
{
    private bool? isAdmin;

    public bool IsAdmin
    {
        get
        {
            if (!isAdmin.HasValue) // better to move to private static method
            {
                bool b = false;
                using (SqlConnection connection = new SqlConnection(connectionString))
                using (SqlCommand command = connection.CreateCommand())
                {
                    command.CommandText = "select IsHeAdmin from Users where Name = @UserName";
                    command.Paratemters.AddWithValue("@UserName", this.Name);
                    connection.Open();
                    b = command.ExecuteScalar() as bool? ?? false; // if null then false, otherwise assign the value
                }
                isAdmin = b;
            }
            return isAdmin.Value;
        }
    }
}


What I would do in this situation: I just disable buttons/menu items to access admin forms when user logs in and he is not admin. Then you need to check is user admin just once - at log in time.


When the user logs in, you retrieve the User object from the database. As long as he is logged in, you keep that object somewhere visible. This object has IsHeAdmin property, based on the column in the database. When the user tries to open such window, you check that property and either show the window or not. Even better would be if the button (or whatever) that opens the window would be disabled for non-admins.

This has the disadvantage, that when user becomes an admin, or stops being an admin, you have to log in again for the change to take effect.

But don't forget that if this is the only protection you have, and you're for example showing some sensitive data from database in the forms, even non-admins will be able to retrieve the same data using ordinary SQL queries in something like SQL server management studio.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜