Article 1HCE4 CodeSOD: Trained Developer

CodeSOD: Trained Developer

by
Remy Porter
from The Daily WTF on (#1HCE4)

ASP.NET, like any other web development system, has a "role provider" system to handle authorization. With a small quantity of code, you can hook your custom security settings into this API and get authorization essentially for "free". Not every organization uses it, because it's not sufficient for every security situation, but it's a good starting point, and it's guaranteed that it'll be covered in any ASP.NET training course.

Paul's employer recently found a new hiring strategy. Instead of hiring expensive, well qualified people, they hire completely inexperienced people on the cheap, and send them to training classes. That's likely where this code started its life- cribbed from notes in a training class.

private void AddUserToRole(List<NewAlumUser> users, int r){ if (!Roles.RoleExists("Level" + users[r].Accesslevel)) { Roles.CreateRole("Level" + users[r].Accesslevel); }//checks if they are in the role... GOOD if (!(Roles.IsUserInRole(users[r].User_name, "Level" + users[r].Accesslevel))) { string[] rolesforuser = Roles.GetRolesForUser(users[r].User_name); string[] userroles = Roles.GetUsersInRole("Level" + users[r].Accesslevel); int count = rolesforuser.GetUpperBound(0); string currentrole = ""; for (int i = 0; i <= count; i++) { currentrole = rolesforuser[i].ToUpper() + currentrole; } if (!(currentrole.Contains("LEVEL" + users[r].Accesslevel.ToUpper()))) { try { Roles.AddUserToRole(users[r].User_name, "Level" + users[r].Accesslevel); } catch (Exception ex) { createfile("AddUserToRole", users[r].User_name + "\r\n" + users[r].Accesslevel + "\r\n" + ex.Message + "\r\n" + ex.Source + "\r\n" + ex.StackTrace); } } } //if (Roles.IsUserInRole(users[r].User_name.ToLower()) == false && Roles.IsUserInRole(users[r].User_name.ToUpper()) == false)}

Now, there are a few obvious problems with this code. The for loop in the middle is an incredibly special snowflake. Beyond that, this code is in-line in the code-behind for a SharePoint page , and is called every time the page is rendered.

The real kicker, though, is that Paul's organization uses a custom membership provider that doesn't implement RoleExists, meaning this code just throws an exception every time it's called anyway.

buildmaster-icon.png [Advertisement] Scale your release pipelines, creating secure, reliable, reusable deployments with one click. Download and learn more today! TheDailyWtf?d=yIl2AUoC8zA79Bm6Y39ewQ
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments