Lab 06: Code Implementation Report

Back to Lab 06 Dashboard

1. Introduction

This lab involves implementing a Role-Based Access Control (RBAC) mechanism for the Pine Valley Furniture Company. The goal is to enhance the existing database schema to include authentication details and user roles, and update previous web forms to conditionally grant access based on whether the logged-in user is an administrator or a regular customer.

2. Implementation Details

The project consists of the following ASP.NET Web Forms:

• Login.aspx: The entry point of the application. Validates credentials against the updated database schema using parameterized queries to prevent SQL injection. Creates a session saving `Customer_Id` and `User_Role`.
• UserRegsistration.aspx: Enhanced to support role-based features. Administrators can update any Customer ID, whereas regular users are strictly bound to update only their own information based on their active session.
• Products.aspx: Displays products and allows users to search or place orders. Access to the Catalog management link is restricted to administrators.
• Orders.aspx: Captures delivery details and places orders bound to the currently authenticated user session.
• Catalog.aspx: An admin-only interface protected by session evaluation preventing unauthorized access.
• Payment.aspx: Payment completion placeholder.
• HelpPage.aspx: Provides user guidance.

3. Design Decisions & Security Fixes

The application employs robust session testing (e.g., verifying `Session("User_Role") = "admin"`) across `Page_Load` events to limit components like administrative panels. Database queries were restructured to use correct configurations (via `Web.config`) and parameterized SQL Commands correctly aligned with the `Users` table schema, thereby completely resolving previous build errors, null exception drops, and credential bypass issues.