New Suggestion for Roles Delete/Update

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This thread is closed to new posts. You must sign in to post in the forums.

7/30/2011 12:58:28 PM

Ghalib Ghniem

Total Posts 92

View Posts

Нет, я не изменил. До старости глубокой...

New Suggestion for Roles Delete/Update

Dear Joe,

I suggest to make the next changes, so we can prevent Administrators from deleteing / Updating "Our Own" needed Roles, Sometimes we need to create our own Roles that we would like to keep;

The changes will be as next:

1. Adding Key in web.config:

2. Changing the Stored Procedures :

7/30/2011 1:23:12 PM

Ghalib Ghniem

Total Posts 92

View Posts

Нет, я не изменил. До старости глубокой...

Re: New Suggestion for Roles Delete/Update

Sorry, here the next:

mp_Roles_Delete

@RoleID int,

@UserRoles nvarchar(1000);

DELETE FROM mp_Roles

WHERE RoleID = @RoleID
AND RoleName <> 'Admins'
AND RoleName <> 'Content Administrators'
AND RoleName <> 'Authenticated Users'
AND RoleName <> 'Role Admins'
AND @UserRoles

3. In mojoPortal.Data.MSSQL

public static bool Delete(int roleId,string userRoles)
        {
            SqlParameterHelper sph = new SqlParameterHelper(GetConnectionString(), "mp_Roles_Delete", 1);
            sph.DefineSqlParameter("@RoleID", SqlDbType.Int, ParameterDirection.Input, roleId);
            sph.DefineSqlParameter("@userRoles", SqlDbType.NVarChar, 1000, ParameterDirection.Input, userRoles);
            int rowsAffected = sph.ExecuteNonQuery();
            return (rowsAffected > -1);
        }

Where that string can be empty or a string from the web config Key values :

( AND RoleName <> 'MyFisrstRole'
AND RoleName <> 'MySecondRole'
AND RoleName <> 'MyThirdRole' )

Also In Business :
public static bool DeleteRole(int roleId,string userRoles)
{
return DBRoles.Delete(roleId,userRoles);
}

5. and finally in RoleManager.aspx ;
case "delete":
                  string userRoles = string.Empty;
                    if (ConfigurationManager.AppSettings["DoNotAllowToDeleteUserRoles"] != string.Empty)
                    {

                        string[] roles = (ConfigurationManager.AppSettings["DoNotAllowToDeleteUserRoles"]).Split(';');

                        foreach (string r in roles)
                        {
                            userRoles += "AND RoleName <> '" + r +"'";
                        }
                    }

Role.DeleteRole(roleID, userRoles);

                    rolesList.EditItemIndex = -1;
                    BindRoleList();
                    break;

Thank you, Just A suggestion

7/31/2011 7:03:57 AM

Joe Audette

Total Posts 18439

View Posts

Re: New Suggestion for Roles Delete/Update

Hi Ghalib,

I've implemented the ability to define roles that cannot be deleted from the ui in this change set, so it is in the repository now. You can see my implementation by viewing the change set.

Note that I implemented it in a more simple way that works with all supported databases and does not require any sql changes.

Also I want to point out that your approach of concatenating a sql fragment and passing it in as a parameter is something I would avoid doing. While in this case it would not be dangerous because you were concatenating values from the config file and not user input, if someone uses a similar pattern with user input they would be writing code that is vulnerable to sql injection. So I would not want code examples like that in mojoPortal because others might copy that pattern and use it in more dangerous scenarios. In general use of parameters protects us from sql injection attacks but that is only true in the case where we are comparing a parameter to another value like a column value or another parameter, the way you used it in your example is not protected by the use of parameters but its the kind of thing where someone might incorrectly think it was safe since they used a parameter.

Best,

Joe

7/31/2011 9:27:01 AM

Ghalib Ghniem

Total Posts 92

View Posts

Нет, я не изменил. До старости глубокой...

Re: New Suggestion for Roles Delete/Update

Thank you Joe,

you are always step forward

I am familiar with Sql injection, but it was a try.

Thank you

7/31/2011 10:16:46 AM

Ghalib Ghniem

Total Posts 92

View Posts

Нет, я не изменил. До старости глубокой...

Re: New Suggestion for Roles Delete/Update

Joe, you implemented it but you are not implementing it now, why you throw it?

I looked the sources and did not found it in current versions!

such a great feature!

7/31/2011 10:28:38 AM

Joe Audette

Total Posts 18439

View Posts

Re: New Suggestion for Roles Delete/Update

Its in the repository, you must not have the latest code from the repository, you need to pull changes and then do HG update to apply the changes to your working copy.

Hope that helps,

Joe

8/4/2011 3:13:39 AM

Ghalib Ghniem

Total Posts 92

View Posts

Нет, я не изменил. До старости глубокой...

Re: New Suggestion for Roles Delete/Update

oo, thank you, i will do it

you are the best :)

You must sign in to post in the forums. This thread is closed to new posts.