MvcSiteMapProvider shows all menuitems even when the user isn't authorized for the action

Question

I'm trying to configure MvcSiteMapProvider into my project and the MvcSiteMapProvider_SecurityTrimmingEnabled parameter doesn't seem to work. The keylines of my project are :

• Visual Studio 2013
• ASP.Net MVC4
• Unity IoC container
• SimpleMembership Provider
• MvcSiteMapProvider was installed through NuGet
• MvcSiteMapProvider_SecurityTrimmingEnabled set to true

When I run the project, every menu is shown, even if the user is not authenticated or is not authorized for the action.

How can I get it to work?

Answer 1

As per the documentation, all configuration must be provided by the DI configuration when using an external DI container. This is primarily due to the fact that when using external DI, the multiplicity of many of the settings could change depending on how it is configured.

So, in other words, MvcSiteMapProvider_SecurityTrimmingEnabled in web.config/appSettings will have no effect when using external DI.

To supply this setting, you need to use the /DI/Unity/ContainerExtensions/MvcSiteMapProviderContainerExtension.cs file (the module). Near the top of the file, there is a variable called securityTrimmingEnabled that needs to be set to true to enable security trimming.

bool securityTrimmingEnabled = true;

You can change this file as needed to inject your own implementation of any of the interfaces or to disable many of the built-in features that don't make sense for your application.