My site is using forms authentication with both users and roles. I use small web.config files to deny/allow access to directories for specific users or roles.
Those file look similar to this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admins, Coaches, Athletes"/>
<deny users="*, ?"/>
</authorization>
</system.web>
</configuration>
The above works.
My site has two groups of users; athletes and coaches.The configuration of which user is a coach of which athlete is done in the database.
I now need to create the following: My site will generate athlete specific reports. Those reports should only be visible for that specify athlete and also to his/her coach. Each athlete will get its own directory on the server.
To accomplish this i could place a web.config file into each directory with the following content:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="AthleteName"/>
<allow users="CoachName"/>
<deny users="*, ?"/>
</authorization>
</system.web>
</configuration>
This would probably work. My problem is: New users can be added to the site at any time through a membership page. The coach/athlete configuration is done in the database and can change at any time. It can also change through a back-end system which is not part of my site.
Instead of having a static web.config i was looking for a more dynamic way of access authorisation to directories. Does anybody have a good idea?
Thanks in advance.