Why ASP.NET menu control ignores roles in Web.sitemap?
- by MainMa
Hi,
I have a website with a menu based on sitemap. ActiveDirectoryRoleProvider is a custom class. securityTrimmingEnabled of sitemap provider is set to true.
Now, nevertheless the roles set in the sitemap file, site menu displays every sitemap entity. So for example if I have in sitemap a node with roles="*", a second one with roles="Administrators" and a third one with roles="Foo" and I login as a member of Administrators group but not Foo group, the site menu will display all three items. On the other hand, if I have a node which does not specify roles attribute but has children, this node will never be displayed.
If I put:
<%= HttpContext.Current.User.IsInRole("Administrators") ? "Admin" : "Not admin"%>
<%= HttpContext.Current.User.IsInRole("Foo") ? "Foo" : "Not foo"%>
before the menu, it displays that I'm Admin, but Not foo, which is just fine.
So if it knows that I'm Admin but Not foo, why does it continue to display Foo's sitemap nodes?
Note: changing authorizations has no effect on the menu. It continues to show every item, even for the pages I'm unable to access.