LyncEssecyNes
New Member
I have searched Google & SO posts, but could not get any results that solved my issue. My web.config is: \[code\]<location path="~/reports/PayPeriodQtrReport.aspx, ~/reports/PayPeriodDetailReport.aspx"> <system.web> <authorization> <allow roles="PayrollReports"/> <deny users="*"/> </authorization> </system.web></location><location path="~/reports/ManifestAnnualReport.aspx, ~/reports/ManifestDetailedReport.aspx"> <system.web> <authorization> <allow roles="ManifestReports"/> <deny users="*"/> </authorization> </system.web></location> \[/code\]The authorization works as required (meaning a person with "PayrollReports" role, is not able to see the Manifest Reports in the menu item and a person with "ManifestReports" role is not able to see the Payroll Reports in the menu item). Problem:
As a user with "PayrollReports" role, I can type into my url \[code\]http:\\mysite.com\reports\ManifestDetailedReport.aspx\[/code\] and the page shows up. What should be displayed is unauthorizedaccess.aspx Similarly, as a user with "ManifestReports" role, I can type into my url \[code\]http:\\mysite.com\reports\PayPeriodQtrReport.aspx\[/code\] and the page shows up. What should be displayed is unauthorizedaccess.aspx Question:Using web.config, how can I prevent a user from hacking into the page by typing in the url?
As a user with "PayrollReports" role, I can type into my url \[code\]http:\\mysite.com\reports\ManifestDetailedReport.aspx\[/code\] and the page shows up. What should be displayed is unauthorizedaccess.aspx Similarly, as a user with "ManifestReports" role, I can type into my url \[code\]http:\\mysite.com\reports\PayPeriodQtrReport.aspx\[/code\] and the page shows up. What should be displayed is unauthorizedaccess.aspx Question:Using web.config, how can I prevent a user from hacking into the page by typing in the url?