ASP.NET security

I'm currently converting our company database application from VB to ASP.NET. This is pretty much my first ASP.NET application, and I had a question about security. I would like some users to have the ability to add or edit data, while other users can only view and print reports. Now, as I understand it, in ASP.NET, I can use form-based authentication to restrict access to certain pages, but what I really would like to do is use the same web page for not only v开发者_JAVA百科iewing the data, but also editing it (using a grid view). I don't see how I can do that using forms-based authentication without having separate (but similar) web pages in different folders, each with it's own level of security.

I guess I could always use the same web page, then check the users roles to determine if I should enable the 'edit' button or not. Is that a good (and common) programming practice?

Thanks

Checking the role membership is an accepted way of doing it. Do not however just check when you display the button, check during the response to the event it triggers as well, just in case someone tries to bypass event validation.

User.IsInRole() is what you need. As mentioned, check this at each step - users can fake any kind of HTTP response, so every server-side method needs security checks.

Don't just check whether to enable or or not... You must also check it when the edit button is clicked.

I would implement my own custom RoleProvider (MSDN Article). And then have different roles that describe the different access levels on your application, and like blowdart said check when buttons, panels are being diplayed whether the user has access or not to that resource.

Can I recommend using monitoring SQL Profiler (or similar) when you are testing the page if you are using a database? You'll be surprised the amount of calls the db gets for a seemingly trivial page load.

Also, please check security trimmings in ASP.NET. Worth having a look.

Cheers.