MVCSiteMapProvider: non-clickable nodes with security trimming enabled

1
votes

I am using MVCSiteMapProvider, v4.6.1

This is my issue: I have a section of my menu that is visible only to Administrators. I achieve this by enabling security trimming and decorating my controllers and/or controller methods to define the trimming criteria.

AdminTasks

  • Add
  • Edit
  • Remove

What I need to do is to make the "AdminTasks" node non-clickable, but still visible only to administrators.

The behavior I am observing is that, if I mark "AdminTasks" as clickable="false" in the sitemap, the node show for everyone, regardless the user is an admin or not. It seems like, in nodes marked clickable='false' there is no security trimming performed.

It is my assumption, without exploring the code too much, that when the node is marked clickable='false', SiteMapProvider doesn't attempt to resolve any route (since it is not needed anyway for navigation purposes); but in doing so, it doesn't inspect the decorations in the controllers, therefore skipping security trimming.

Is my assumption correct? Is there any way to have a non-clickable node that still is security trimmed?

Thanks

1
clickablemvcsitemapprovidersecuritytrimmingenabled

1 Answers

3
votes

Non-clickable "grouping" nodes don't represent a controller action, so there would be no reasonable way to control security on them using AuthorizeAttribute.

However, you can use the TrimEmptyGroupingNodesVisibilityProvider to make a non-clickable node invisible when there are no accessible nodes nested within it. Therefore, if the current user doesn't have permission for any of the children of the "Admin Tasks" node, the "Admin Tasks" node will be hidden.

<mvcSiteMapNode title="Admin Tasks" clickable="false" visibilityProvider="MvcSiteMapProvider.TrimEmptyGroupingNodesVisibilityProvider, MvcSiteMapProvider">

If you have a more complex scenario than this, you could also build your own visibility provider.