Question
OK, I have scoured this site as well as others looking for answers to no avail.
Our new website comes with Administrative section that allows all members access to certain pages within this admin section.
However, only 3 are allowed access to all pages.
I am attempting to use the login page to get all users to the Administrative section with a menu of items of interest.
Our goal is that when users get to this section, and click on an item they are not authorized to view, they be redirected back to the welcome page.
A better option of course a message that says, "you are not authorized to view this page".
Is there a link or sample code I could modify to assist me with this task?
The code I have below isn't working.
It directs me to the Admin section just fine.Then on page_load event of every link, I would use session to attempt to restrict users.
Example: if Session("Admin") <> True then response.Redirect("home.aspx") End If
but isn't restricting anyone from viewing any of the links listed on the screen.
https://stackoverflow.com/questions/13955373
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianSub CmdLogin_Click(ByVal Sender As Object, ByVal E As EventArgs) Handles CmdLogin.Click
Dim StrUser As String, StrPass As String
Dim BValid As Boolean
Dim Conn As OleDbConnection
Dim Cmd As OleDbCommand
Dim rs As OleDbDataReader
Dim StrSQL As String
' We will request all variables from our form with this.
'Protect against SQL Injection
StrUser = Replace(txtUser.Text, "'", "''", 1, -1, 1)
StrPass = Replace(txtPass.Text, "'", "''", 1, -1, 1)
' This is our boolean variable for validation purposes set to true if valid user
BValid = False
' Initialize Database Connection
Conn = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;data source=" & Server.MapPath("App_Data\Members.mdb"))
' Create Select Command
StrSQL = "SELECT Access_Level, myEmail,UserPassword FROM tblUsers WHERE myEmail='" & StrUser & "' AND UserPassword = '" & StrPass & "'"
'Response.Write(StrSQL)
'Response.End()
Cmd = New OleDbCommand(StrSQL, Conn)
Conn.Open()
rs = Cmd.ExecuteReader()
' This acts like the (Not RecordSource.Eof) in ASP 3.0
While rs.Read()
If rs("Access_Level") = "1" Or rs("Access_Level") = "2" Then
Session("Admin") = True
Response.Redirect("admin.aspx")
'Response.Write(StrPass)
'Response.End()
Dim redirectTo As String = Trim(Session("RedirectTo"))
BValid = True
Else
End If
End While
' Don't forget this
Conn.Close()
' This handles all response per validation
' If validated it goes to admin.aspx page
If BValid = True Then
Session("userid") = StrUser
Dim redirectTo As String = Trim(Session("RedirectTo"))
If redirectTo <> "" Then
Response.Redirect(redirectTo)
Else 'They just got in without trying to go to a restricted page
Response.Redirect("admin.aspx")
End If
ElseIf BValid = False Then
lblError.Text = "Login failed: Please try again."
End If
End Sub
Any assistance is greatly appreciated.
Solution
You don't need the gymnastics you are trying to do here. Consider using membership, roles and buildin .net functionality to limit acces to specific folders/pages.
Please take a look at one of my posts how this can be done with ease:
How to restrict unlogged unauthorized users from viewing web pages
