How to restrict ASP.NET permissions per page or per directory (code access security per page or per directory)
-
05-07-2019 - |
Question
This is the scenario:
-Hosted web application.
-Application trust level is full trust, because of external components.
-Customer should be able to customize some web pages.
I thought about using an html template that they can modify. But it is not flexible enough. For example if there is logic things get messy and difficult: if user is logged in render this way, if we are in that page render this part differently, etc, etc. I end up creating a new scripting language, customers won’t like it.
I would like to use an aspx page that they can modify. The problem is that they can write any code in the aspx page, access the file system, etc.
Questions:
-Is there a way in ASP.NET to restrict certain directory or web page permissions (i.e. code access security per page or per directory)?
-Any other suggestions for implementing secure customizable web pages?
Solution
Do not do this.
No matter what you do, there will be security issues. Give them a template only, and you process that yourself. As far as I'm concerned, a wiki markup like Markdown is quite acceptable.