CodeCharge StudioYour Task Management system is now almost complete, except one possibly important feature- security.
Currently everyone can modify and delete any of the tasks. You may want to limit the access so that only the employee assigned to as task can update their tasks. There are many ways of accomplishing this, and we will examine several of them.
// Write your own code here.
' Write your own code here.
with the code below:
if(Request.QueryString["task_id"] != null)
{
IntegerField task_id = new IntegerField("", Request.QueryString["task_id"]);
SqlCommand taskCmd = new SqlCommand("SELECT user_id_assign_to FROM " + "tasks WHERE task_id=" +
task_id.GetFormattedValue(), Settings.IntranetDBDataAccessObject);
int assignedUserId = (int)taskCmd.ExecuteScalar();
if(int.Parse(DBUtility.UserId.ToString()) != assignedUserId)
{
tasksHolder.Visible = false;
// Response.Redirect("tasks_list.aspx");
// tasksOperations.AllowUpdate = false;
// tasksOperations.AllowDelete = false;
}
}
If Request.QueryString("task_id") <> " " Then
Dim task_id As IntegerField = new IntegerField("", Request.QueryString("task_id"))
Dim taskCmd As SqlCommand = New SqlCommand("SELECT user_id_assign_to FROM " & "tasks WHERE task_id=" &_
task_id.GetFormattedValue(), Settings.IntranetDBDataAccessObject)
Dim assignedUserId As Integer = CInt(taskCmd.ExecuteScalar())
If Convert.ToInt32(DBUtility.UserId) <> assignedUserId Then
tasksHolder.Visible = false
' Response.Redirect( "tasks_list.aspx" )
' tasksOperations.AllowUpdate = false
' tasksOperations.AllowDelete = false
End If
End if
The above code allows you to test the following methods of implementing record security:
You can hide any form on a page by assigning false value to the Visible property of the table holding the record form. First, check for the presence of the query string variable task_id, which indicates the record form is in update or delete mode, since you want to restrict users to only view/modify tasks assigned to them. The if block also ensures that all users can create new tasks. You can test this functionality by inserting the above code into the event, then switching to Live Page mode and trying to modify a task that is not assigned to you, in which case you should see an empty page (with just the header). Although such functionality may not be very useful, it shows how you can hide forms on a page. You may consider adding another record form to your page that is not updateable and has just the Label fields that show task information. Once you have two forms on the page, you can hide each form programmatically using mutually exclusive criteria.
You can implement and test this functionality by slightly modifying the above code as shown below:
if(Request.QueryString["task_id"] != null)
{
IntegerField task_id = new IntegerField("", Request.QueryString["task_id"]);
SqlCommand taskCmd = new SqlCommand("SELECT user_id_assign_to FROM " + "tasks WHERE task_id=" +
task_id.GetFormattedValue(), Settings.IntranetDBDataAccessObject);
int assignedUserId = (int)taskCmd.ExecuteScalar();
if(int.Parse(DBUtility.UserId.ToString()) != assignedUserId)
{
// tasksHolder.Visible = false;
Response.Redirect("tasks_list.aspx");
// tasksOperations.AllowUpdate = false;
// tasksOperations.AllowDelete = false;
}
}
If Request.QueryString("task_id") <> " " Then
Dim task_id As IntegerField = new IntegerField("", Request.QueryString("task_id"))
Dim taskCmd As SqlCommand = New SqlCommand("SELECT user_id_assign_to FROM " & "tasks WHERE task_id=" &_
task_id.GetFormattedValue(), Settings.IntranetDBDataAccessObject)
Dim assignedUserId As Integer = CInt(taskCmd.ExecuteScalar())
If Convert.ToInt32(DBUtility.UserId) <> assignedUserId Then
' tasksHolder.Visible = false
Response.Redirect( "tasks_list.aspx" )
' tasksOperations.AllowUpdate = false
' tasksOperations.AllowDelete = false
End If
End if
The above code shows that you should comment out the previously active line, and uncomment the line that starts with Response.Redirect. The Redirect method of the Response object is used to redirect the user to a new page. You can simply assign the destination page to the Redirect method and the page will be automatically redirected. Test this functionality by modifying the code as shown, and then switch to Live Page mode and try to modify a task that is not assigned to you.
You can implement and test this functionality by slightly modifying the above code as shown below:
if(Request.QueryString["task_id"] != null)
{
IntegerField task_id = new IntegerField("", Request.QueryString["task_id"]);
SqlCommand taskCmd = new SqlCommand("SELECT user_id_assign_to FROM " + "tasks WHERE task_id=" +
task_id.GetFormattedValue(), Settings.IntranetDBDataAccessObject);
int assignedUserId = (int)taskCmd.ExecuteScalar();
if(int.Parse(DBUtility.UserId.ToString()) != assignedUserId)
{
//tasksHolder.Visible = false;
//Response.Redirect("tasks_list.aspx");
tasksOperations.AllowUpdate = false;
tasksOperations.AllowDelete = false;
}
}
If Request.QueryString("task_id") <> " " Then
Dim task_id As IntegerField = new IntegerField("", Request.QueryString("task_id"))
Dim taskCmd As SqlCommand = New SqlCommand("SELECT user_id_assign_to FROM " & "tasks WHERE task_id=" &_
task_id.GetFormattedValue(), Settings.IntranetDBDataAccessObject)
Dim assignedUserId As Integer = CInt(taskCmd.ExecuteScalar())
If Convert.ToInt32(DBUtility.UserId) <> assignedUserId Then
' tasksHolder.Visible = false
' Response.Redirect( "tasks_list.aspx" )
tasksOperations.AllowUpdate = false
tasksOperations.AllowDelete = false
End If
End if
This code shows how you can manipulate the UpdateAllowed and DeleteAllowed properties of a record form. These properties control record update/delete operations execution. If set to false, the operation will not be executed.
These properties also control the visiblity of the Update and Delete buttons on the page.
Next: Conclusion