How can I assign an userid stored in a SQL table as Session Var?

[mimitan]

Hi all,
I have a page that capture the userid and assign it to session("currentuserid"). This current user can only update records in a sql Billing table that UserAllowed id field of that record match the session("currentuserid"). Now my question is how can I assign UserAllow id to a session("UserAllow") so I can do comparison as If session("currentuserid") = session("UserAllow") Then...
Is Dataset the only way to do that? Thanks for help

 

[jbenson001]

You'll have to be more clear in your explination. Do you have the value of "UserAllow" or is this in the DB and you need to assign it to a session variable?

 

[jmeckley]

you shouldn't need session("UserAllow") since this is specific to an order.

there are 2 options comparing the current user id to the records in the billing table.
1. use the current user id in the sql statement

select * from table where [some predicate] and user_id = @user
//set @user to the current user id

2. get the billing instance and compare the user in code. if they cannot view it either throw a security exception, or return a null billing object.

IBilling b = GetBillingBy(id);
if(b.IsVisibleTo(currentUser))
{
   return b;
}
return NullBilling.Instance;

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[mimitan]

Sorry for the confusion. Let me try again. I have a sql db table named Billing as this:
Account# Address UserAllow
--------- -------- -----------
9873546 XYZ domain\johns
7585747 RST domain\maryf

Now let say john open the page Update.aspx, he has to logon and his id is domain\johns and is assigned to a session("currentuserid"). The table Billing is display in Gridview. When John tries to select and update record with Account# 7585747, he will get a message "Can not update others record" That is why I was trying to have the If session("currentuserid") = session("UserAllow") (how to assign it to session var from sql?) then allow user to update else error message. I hope this is more clear. Thank for help

 

[jmeckley]

you don't need to assign userallow to a session variable.
1st, have the grid view only display billing records that the current user can view.
2nd, when the user navigates to the "edit billing" page. append the currentuserid to sql statement. if the record count comes back 0 return the user to the "grid" page.

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[mimitan]

Thanks Jason for your help.
Sorry I did not understand well your 2nd step. You mean to pass currentuserid as parameter to sql, right? But what do you mean by if record count comes back 0 return the user to "grid" page. Please can you give me a quick example, I am very new to sql and aspnet programming. Thanks for help

 

[jmeckley]

I would recommend the tutorials at

http://www.asp.net/learn.

You wouldn't jump in the pool if you don't know how to swim programming is no different.

yes the current user id should be part of the sql statement. when selecting records (either for readonly or editing) pass the current user id as a paremeter to limit the results returned. the sql would look like this

select [list fields explictly] from billing where allowuser=@user order by [fields]

this will no prevent people from navigating the record directly to edit it. on this page [tt]domain/editbilling.aspx?id=a_number[/tt]. you will need to select the record from the database.

select [list fields explictly] from billing where id=@id allowuser=@user

if the reader returns zero results send the user back to the list of bilings page. (may log that the user attempted to access the record too.)

One recommendation I cannot emphasize enough is: Do not use sql/access/object datasources. They make debugging data access problem near impossible because you cannot step through the code, must less run unit tests.


Jason Meckley
Programmer
Specialty Bakers, Inc.