Databases Reference
In-Depth Information
NOTE
This and other code snippets in this section are small extracts from the markup and
code-behind files of the dynamic page templates. Please refer to the sample source
code accompanying this topic for complete details.
By overriding the
OnPreInit
method, you inject the code into one of the earliest stages of
processing a page request. This code relies on the built-in
DynamicDataRouteHandler
helper class to get a
MetaTable
object based on the dynamic URL of the page request. This
sample project uses Forms authentication, and if the
CanInsert
method returns
false
,
this code redirects users to the login page specified in the application's
Web.config
file.
Figure 14.5 shows how this looks. Notice the
ReturnUrl
parameter in the address bar of
the web browser. This allows the authorized users to provide their credentials and get back
to the page they wanted to access. Otherwise, they will not be able to get past the login
page. With
Windows
authentication, you can redirect them to another page of the web
application or simply return the HTTP error code 403 Forbidden and let IIS serve the error
page configured for it.
FIGURE 14.5
Login page displayed instead of products Insert page.
NOTE
After redirecting the unauthorized user to the login page, the code calls the
End
method of page's
Response
object. This immediately terminates processing of the
page request and prevents any other methods or event handlers in this page from
executing. This is important from both a security and performance standpoint; when you
know the user is not authorized to access a particular page, you don't want to let the
request to consume any additional server resources (memory, CPU, or I/O bandwidth).
The
Edit
page template is slightly more complex. Because it generates web pages that
allow users to edit existing records, it needs to verify that users have not only the
update
permission for the given entity type, but also the
read
permission as well. Otherwise, an
inconsistency in authorization rules could allow someone to read entity information by
manually typing URLs for the dynamic Edit pages, even if they cannot access the List and
Details pages.