SiteMapNodeInfo roles used for?

Topics: Web Client Software Factory, Project Management Forum, UIP Application Block discussion, User Forum
Sep 5, 2007 at 10:01 PM
I don't see how the SiteMapNodeInfo roles are being used. When i set the roles and have a user access a node that is not in the role the node still show? Does anyone know how to implement this and if so some background to how it works?

I cannot find good documentation on how to implement this. All documentation refers to using the the AddNode method with rules and then implementing the IAuthorizationService with rules. Why use Rules instead of Roles?

Microsoft.Practices.CompositeWeb.SiteMapNodeInfo(other params here, roles As IList)

siteMapBuilderService.AddNode(node, rules);
Sep 7, 2007 at 9:03 PM
anybody know what the roles are for and what if you have sitemapnodeinfo roles defined with addnode rules???????
Sep 7, 2007 at 10:20 PM
I don't know for sure, but it is my understanding that roles are used in conjunction with SecurityTrimming, which is done by the clients that consume the SiteMap (like Menu, etc.).

Do you have SecurityTrimming enabled, and you're still seeing nodes show up that the user doesn't belong to the appropriate role to be able to see?

As to your question about why use rules instead of roles, that's a good question. It seems to me they are using rules as a crutch in some ways because everything MS and P&P are doing is so reliant on defining everything in the config file (which I hate). Instead of "hard-coding" role-to-page relationships in web.config, they've abstracted it one level by injecting rules in the middle there. So you "hard-code" your rule in the config file, then set up role-to-rule relationships elsewhere. This allows you to combine some things, like having multiple pages require the same rule, so you only have to attach one rule to the role(s) you want to access it, which is an advantage, I guess. But it sure seems like it would be easier to just do this all from the database. I've posted about this elsewhere, so I'll just leave it at that.
Sep 10, 2007 at 8:54 PM
Edited Sep 10, 2007 at 8:55 PM
I said that wrong, didn't I? You set up role-to-rule relationships in web.config, and then hard-code rule restrictions in pages.

The thing I don't understand is trying to use rules to control page-access security, which the reference implementation does, I believe.

It seems to me roles should be relied upon for page-access security, and then rules used only for page-functionality security.