ASP.NET Roles and Membership

Question

I am quite new to ASP.NET technologies

<configuration>
    <system.web>
      <authorization>
        <allow roles="Agency,Admin"/>
        <deny users="*"/>
      </authorization>
    </system.web>
</configuration>

I have the above web.config for a folder, there is a requirement to give an elevated priviledge to some users in Agency role to access a page called AddOrganisation.aspx. To solve this, I think I can add the following markup to the web.config but this will be static

<location path="AddOrganization.aspx">
    <system.web>
      <authorization>
        <allow users="wale, etc, etc"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

How can I enable adding users programmatically instead of updating the web.config for each change?

I will be grateful for your responses. Thank you

Answer 1

You should not make changes the web config at runtime, this will restart your application, every time you add a user. MSDN says this

Configuration Changes Cause a Restart of the Application Domain

Changes to configuration settings in Web.config files indirectly cause the application domain to restart. This behavior occurs by design. You can optionally use the configSource attribute to reference external configuration files that do not cause a restart when a change is made. For more information, see configSource in General Attributes Inherited by Section Elements.

Instead you should give those users a different role, so that only those users can access the "AddOrganisation.aspx" page.

Or else you can also do another thing if you dont want to create another role for these users. You keep on adding these users to a table and whenever a request is made to the page you can check if the users name is present in the table or not and then allow/deny the user.