Workflow

A dedicated “Status” field in a database table is a simple and easy to implement method of separating “draft” and “committed” data. For example, orders stored in a database will be explicitly marked with a status of “Committed” if no changes are allowed to them. Orders still being composed will be marked with a status of “Draft”. The application must ignore draft data and have it visible only on the order entry page.

Adding the “Status” Column

Start SQL Server Management Studio. In the Object Explorer, right-click on Databases / Northwind and press New Query.

Paste in the following script to add the table column and mark all existing orders as “Committed”.

alter table Orders
add Status nvarchar(50) default 'Draft'
go

update Orders
set Status = 'Committed'
go

On the toolbar, press Execute to run the query.

Controlling Display of Draft Orders

Start the web application generator. Select the project name and click Settings. Press Business Logic Layer and enable shared business rules. Click Finish and regenerate the project.

Start the Project Designer. In the Project Explorer, switch to the Controllers tab. Right-click on Orders controller node, and press Edit Handler in Visual Studio.

The shared business rule file will open in Visual Studio. Replace the file with the following code:

C#:

using System;
using System.Data;
using System.Collections.Generic;
using System.Linq;
using MyCompany.Data;

namespace MyCompany.Rules
{
    public partial class SharedBusinessRules : MyCompany.Data.BusinessRules
    {
        
        public SharedBusinessRules()
        {
        }

        protected override void EnumerateDynamicAccessControlRules(string controllerName)
        {
            if (Context.Request.UrlReferrer != null)
            {
                if (Context.Request.UrlReferrer.ToString().ToLower().Contains("orderform.aspx"))
                    RegisterAccessControlRule("OrderID", 
                        "select OrderID from Orders where Status = 'Draft'", 
                        AccessPermission.Allow);
                else
                    RegisterAccessControlRule("OrderID", 
                        "select OrderID from Orders where Status = 'Committed'", 
                        AccessPermission.Allow);
            }
        }
    }
}

Visual Basic:

Imports MyCompany.Data
Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Linq

Namespace MyCompany.Rules

    Partial Public Class SharedBusinessRules
        Inherits MyCompany.Data.BusinessRules

        Public Sub New()
            MyBase.New()
        End Sub

        Protected Overrides Sub EnumerateDynamicAccessControlRules(controllerName As String)
            If Context.Request.UrlReferrer <> Nothing Then
                If Context.Request.UrlReferrer.ToString().ToLower().Contains("orderform.aspx") Then
                    RegisterAccessControlRule("OrderID",
                                            "select OrderID from Orders where Status = 'Draft'",
                                            AccessPermission.Allow)
                Else
                    RegisterAccessControlRule("OrderID",
                                            "select OrderID from Orders where Status = 'Committed'",
                                            AccessPermission.Allow)
                End If
            End If
        End Sub
    End Class
End Namespace

The implementation will conditionally register a dynamic access control rule that will apply to a view of any data controller with an OrderID data field. If the user is interacting with an application page ~/Pages/OrderForm.aspx, then only data that matches orders with a status of “Draft” is allowed. Otherwise, only data that matches orders with a status of “Committed” is included in the returned data set.

Adding “Submit Order” Action

In the Project Explorer, right-click on Orders / Actions / ag2 (Form) node, and press New Action.

Assign the following values:

Press OK to save the action. Drop Orders / Actions / ag2 (Form) / a101 – Custom, SubmitOrder | Submit Order node on the left side of a100 – Report | Order Report to place it first.

Adding Business Rule

Right-click on Orders / Business Rules node, and press New Business Rule.

Assign these values:

update Orders
set Status = 'Committed'
where OrderID = @OrderID

set @Result_NavigateUrl = 'OrderForm.aspx'

The business rule will set Status column of the selected order to “Committed” and refresh the page loaded in the web browser. Press OK to save.

Testing the Results

On the toolbar, press Browse. Navigate to the Order Form page. Create a new order and return to the grid. Note that only a single draft order is listed.

Navigate to the Orders page. Note that the all of the orders are displayed except for the draft order.

The draft order will also not be visible in any data controllers based on database views if they relate to orders. For example, page Reports | Order Subtotals will not display the new order. The dynamic access control rule explained above filters the order out.

Go back to the Order Form page, and select the draft order. Click on the “Submit Order” button.

The browser will refresh the page and display an empty list of orders.

The order will now be displayed on Orders page.

It will also be displayed on Order Subtotals page that can be found under the Reports option in the application navigation menu.

Internet web applications require an integrated user management. Anonymous users are denied access to protected site pages. Registered users may see a subset of protected pages that depends on user roles.

About ASP.NET Membership

Microsoft ASP.NET Membership is a powerful pre-packaged option for user and role management available to developers. With little effort a set of required tables and stored procedures can be installed in an application or a standalone database. ASP.NET membership providers are a native part of the security framework of Microsoft.NET. Many database vendors include custom implementations of ASP.NET membership providers with their software.

It takes only a few clicks to integrate ASP.NET Membership in a web app using Project Wizard.

A requirement to maintain “alien” tables and stored procedure in the application database causes some developers to embark on  a path to develop custom membership and role providers for a project. This is not a trivial effort - cutting corners is not recommended.

A table with a list of users is frequently a centerpiece  in many databases and creates another incentive to build a custom membership provider.

Sample Custom Membership Configuration

Code On Time web application generator can produce integrated membership and role providers straight from the application database tables.

Consider the Northwind sample web application. The database table Employees is a perfect example of a source of user identities.

An application can treat the Last Name as a “User Name” and Extension as a “Password”.

Here is the list of employees.

Start creating a new Northwind project.

As you go through the steps of the project wizard, pause on the page Authentication and Membership. Select option “Enable custom membership and role providers.”

Enter the following in the configuration box.

table Users=Employees
column [int|uiid] UserID = EmployeeID
column [text] UserName = LastName
column [text] Password = Extension

role Administrators = Fuller
role Users = *

option Create Standard User Accounts = false
option Password Format = Clear

The configuration of membership and role providers maps the columns of the physical table Employees to logical table Users. Application generator will use the the logical table mapping when creating the source code of the providers.

The configuration also defines two roles – Administrators  and Users. A minimal custom membership implementation does not require a physical table to hold a list of user roles.  This simple declaration states that the user with the last name of Fuller is the “administrator”. It also declares that all employees are “users”.

The automatically generated implementation of providers will try to register two standard user accounts “admin” and “user”. Option “Create Standard User Accounts” is set to “false” to prevent that.

The provider implementation will also try to “hash” the passwords for added security. The employee phone extensions are stored in a “clear” format. Therefore the “Password Format” option disables “hashing”.

Complete the application configuration and activate Project Designer. Using Project Explorer, select page Users and enter Administrators in Roles property, click OK button to save the page configuration. This will ensure that only an administrator can access the page.

Generate the app and login as Davolio with password 5467 when prompted.

Page Employees will not be visible in the site menu.

Log out and sign in as Fuller / 3457 to manage employees on Employees page.

Users, Roles, and User Roles

The example above will have to be extended when dynamic roles are required.

Consider these database tables.

The following configuration of custom membership and role providers will be sufficient to equip a web application with dynamic users and roles.

table Users=Users
column [int|uiid] UserID = UserID
column [text] UserName = UserName
column [text] Password = Password

table Roles=Roles
column [int|uiid] RoleID = RoleID
column [text] RoleName = RoleName

table UserRoles=UserRoles
column [int|uiid] UserID = UserID
column [int|uiid] RoleID = RoleID

Select the project name on the start page of the app generator, choose Authentication and Membership, proceed to modify the configuration of custom membership and role providers. Generate the application and sign in with one of the standard user accounts – admin/admin123% or user/user123%.

Tables Users, Roles, and UserRoles provide a foundation for the integrated security system of the web application.