I’m currently converting our company database application from VB to ASP.NET. This is pretty much my first ASP.NET application, and I had a question about security. I would like some users to have the ability to add or edit data, while other users can only view and print reports. Now, as I understand it, in ASP.NET, I can use form-based authentication to restrict access to certain pages, but what I really would like to do is use the same web page for not only viewing the data, but also editing it (using a grid view). I don’t see how I can do that using forms-based authentication without having separate (but similar) web pages in different folders, each with it’s own level of security.
I guess I could always use the same web page, then check the users roles to determine if I should enable the ‘edit’ button or not. Is that a good (and common) programming practice?
Thanks
Checking the role membership is an accepted way of doing it. Do not however just check when you display the button, check during the response to the event it triggers as well, just in case someone tries to bypass event validation.