• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 522
  • Last Modified:

How to secure directories using application.cfc?

ColdFusion 8
MS SQL Server 2005

Hi. I'm trying to get ColdFusion to secure a directory on my web server.

I have built a simple login application here:

http://ascassociation.org/coalitionresources/

And it is working fine, using session management. People can log in and log out. I developed this login application using CF WACK 8 by Forta/Camden, Ch. 23. I use session variables to determine whether a user is logged in.

The problem is, people can view the entire web site even if they do not log in. Thus I have established a login application using session management, that secures nothing at all. Great!

I am trying to secure these directories:

http://ascassociation.org/coalitionresources/admin/

http://ascassociation.org/coalitionresources/documents/

I would like only user "Administrator" to be able to view /admin/. All other logged in users can view only /documents/. People who are not logged in should be able to see neither of these directories.

Administrator has UserRoleID = 1. All other users have UserRoleID = 5.

Is there a way, in application.cfc, to secure these directories? Perhaps by leveraging the UserRoleID variable (as noted above)?

I am using this markup (see below) in my application.cfc, but it does not secure the directories. I append my full application.cfc.

VERY grateful for any advice. Thanks again.

Best from Eric




 <!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <cfinclude template="/coalitionresources/" />
           <cfabort>
      </cfif>    
 </cffunction>
 <!--- END METHOD: onRequestStart --->
<!--- 
 Filename: Application.cfc
 Created by: Raymond Camden (ray@camdenfamily.com)
 modified by gdemaria, Eric B
 Please Note: Executes for every page request
--->
<cfcomponent output="false">
 
  <!--- Name the application. --->
  <cfset this.name="ASCassociationCoalitionResources">
  <!--- Turn on session management. --->
  <cfset this.sessionManagement=true>
  
  <cffunction name="onApplicationStart" output="false" returnType="void">
 
    <!--- Any variables set here can be used by all of the application's pages --->
    <cfset APPLICATION.dataSource = "ascassociation">
    <cfset APPLICATION.companyName = "ASC Association">
  
  </cffunction>  
  
  	<!--- METHOD: onSessionStart --->
	 <cffunction name="onSessionStart" returntype="void">
      
      <!--- defined all session variables, so they will always exist ---->
      <cfset session.auth.isLoggedIn  = false>
	  <cfset session.auth.ContactID  = "">
      <cfset session.auth.FirstName   = "">
      <cfset session.auth.LastName    = "">
      <cfset session.auth.Address    = "">
      <cfset session.auth.City    = "">
      <cfset session.auth.State    = "">
      <cfset session.auth.ZIP    = "">
      <cfset session.auth.Email    = "">
      <cfset session.auth.UserLogin    = "">
      <cfset session.auth.UserPassword    = "">
      <cfset session.auth.UserRoleID  = "">
 
 </cffunction>
 <!--- END METHOD: onSessionStart --->
  
 <!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <cfinclude template="/coalitionresources/" />
           <cfabort>
      </cfif>    
 </cffunction>
 <!--- END METHOD: onRequestStart --->
 
 </cfcomponent>

Open in new window

0
Eric Bourland
Asked:
Eric Bourland
  • 14
  • 7
  • 7
2 Solutions
 
azadisaryevCommented:
the simplest way would be to add an Application.cfm file into the 2 directories you want to secure with the following code in it:

<cfapplication name="ASCassociationCoalitionResources">
<cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>
<p>Access denied</p>
<cfabort>
</cfif>

note that the name of this application is same as in your main Application.cfc.
this also assumes that you are populating the above 2 session variables on successful user login.

hth
0
 
Eric BourlandAuthor Commented:
azadisaryev,

Thanks for this. It makes sense to me and I feel like I am making progress.

I implemented the application.cfc in each directory -- /admin/ and /documents/ -- per your advice. I am getting an error:

"Null Pointers are another name for undefined values."

You can see it firsthand here:

http://ascassociation.org/coalitionresources/admin/

I've been researching "Null Pointers are another name for undefined values." My searches lead me to believe there is something I need to adjust in CF Administrator? Have you seen this error, "Null Pointers are another name for undefined values.", before?

Thanks again.

Eric
0
 
azadisaryevCommented:
well, i specifically said application.CFM, not .CFC... Application.cfc component requires a specific structure, with specific methods, while Application.cfm file is basically just a file that gets processed before each and every request.

i suspect that by using Application.cfc instead of Application.cfm in your 2 directories it creates a separate application for those directories, and the variables from your root application (i.e. session vars) are not available in them.

try it with Application.CFM with the code i posted. i must confess, i have not tested it, but in theory it should work as long as the application name is the same.

if for some reason having a separate application.cfm file in the sub-directories does not work, you can try:
1) create an ApplicationProxy.cfc in your root dir with the following code in it:
<cfcomponent name="ApplicationProxy" displayname="ApplicationProxy" extends="Application"></cfcomponent>
2) create Application.CFC in your 2 directories with the following code:
<cfcomponent displayname="Application" extends="ApplicationProxy">
<cffunction name="onRequestStart" access="public" returntype="boolean">
<cfargument name="TargetPage" type="string" required="yes" />
<cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>
<p>Access denied</p>
<cfabort>
</cfif>
<cfreturn true>
</cffunction>
</cfcomponent>

if all else fails, you can just put the cfif block from my first reply at the top of each page in your 2 directories (make sure there are no application.cfm/cfc file in them) - not the best solution as it complicates code maintenance, but it will work...

hth
0
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

 
Eric BourlandAuthor Commented:
I understand. OK, I changed the filename from application.cfc to application.cfm.

Hmmm, a new error:

The requested scope session has not been enabled.  
Before session variables can be used, the session state management system must be enabled using the cfapplication tag.  
 
The error occurred in D:\websites\ascassociation.org\coalitionresources\admin\Application.cfm: line 3
 
1 : <cfapplication name="ASCassociationCoalitionResources">
2 :
3 : <cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>
4 : <p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>
5 :

you can see it here:
http://ascassociation.org/coalitionresources/admin/

Yet we did use the cfapplication tag. I attach application.cfm below?


This is application.cfm placed in /coalition/admin/:
 
<cfapplication name="ASCassociationCoalitionResources">
 
<cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>
<p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>
 
<p>Please <a href="/coalitionresources/">log in</a> as Administrator if you wish to continue here.</p>
 
<p>Thanks, and have a great day.</p>
 
<cfabort>
</cfif>

Open in new window

0
 
azadisaryevCommented:
ok, you should enable session management in the <cfapplication> tag:
change it to:
<cfapplication name="ASCassociationCoalitionResources" sessionmanagement="true">
0
 
Eric BourlandAuthor Commented:
I see. OK, did that. I understand that I needed to enable session management.

Now a new error:

Element AUTH.ISLOGGEDIN is undefined in SESSION.  

The error occurred in D:\websites\ascassociation.org\coalitionresources\admin\Application.cfm: line 3
 
1 : <cfapplication name="ASCassociationCoalitionResources" sessionmanagement="true">
2 :
3 : <cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>
4 : <p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>
5 :

http://ascassociation.org/coalitionresources/admin/

I need to define element AUTH.ISLOGGEDIN in the session variable. I added to application.cfm this line:

 <cfset session.auth.IsLoggedIn  = "">

But the error persists.

Do I need to put that CFIF block at the top of every page? If that is how it must be, I understand.

Thanks again!

Eric
0
 
azadisaryevCommented:
did you try the ApplicationProxy.cfc way i posted? try that - i guess having an Application.cfm inside the sub-directory, even with same application name as the app in the root does not really work (i will try and test it when i have a minute...)

i have this setup (Application.cfc + ApplicationProxy.cfc in root and Application.cfc extending the ApplicationProxy.cfc in sub-folder) working fine on several sites... so give that a try before you resort to including a cfif block at the top of each page in your subfolders.

hth
0
 
Eric BourlandAuthor Commented:
Got it. I am working on this....
0
 
gdemariaCommented:
Eric, the approach you have in your question is a reasonable and clean method.  My feeling is that you should just debug it and not change it.

Given this code in your onRequestStart function, there are only a few items keeping you from getting into the <cfabort> clause.

1. is session.auth.isLoggedIn set to false?
2. is the current folder on the list for secure directories?
3. What is in coalitionresources ?

      <cfset var secureDirectories = "admin,documents">
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <cfinclude template="/coalitionresources/" />
           <cfabort>
      </cfif>    


To find out the answers to these questions do this..

Substitute that block of code in your onRequestStart function with this block of code.  The page won't run, but it will tell you your starting values of all the conditions you're testing for.

<cfoutput>
 I am in folder: #listFirst(cgi.script_name,"/")#<br>
 Testing against : #secureDirectories#<br>
 Am I logged in? #session.auth.isLoggedIn#<br>
</cfoutput>
      <cfset var secureDirectories = "admin,documents">
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <!-----  <cfinclude template="/coalitionresources/" />   ----->
           <h1>You need to login!</h1>
   <cfelse>
      <h1>You are already logged in</h1>  
   </cfif>  
   <cfabort>

0
 
gdemariaCommented:
When you do that, you will see that this..

listFirst(cgi.script_name,"/")

returns ...   colocationResources   as your top folder.

You are testing for  admin or documents to be your top folder.

that's why the CFIF statement isn't working, you are now one extra level down.   The code would work if you went to  
               http://ascassociation.org/admin/
because /admin is a top level folder.

In order for it to work, you need to change the CFIF statement to check either the second level folder, or check ALL level folders  or  perhaps first and second level folders.

0
 
Eric BourlandAuthor Commented:
gdemaria,

That is interesting. I'll work with this for a while and get back to you later today. Thanks as always. Hope you are great.

Eric
0
 
gdemariaCommented:
Eric,
.. doing pretty well thanks :)

Here's a quick fix.   Replace your CFIF with this..

<cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
   or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
   )  and session.auth.isLoggedIn is False>

This statement will check the top folder and the second folder to see if the folder name matches the ones you have on the list.

0
 
Eric BourlandAuthor Commented:
@azadisaryev -- the applicationproxy.cfc is an interesting solution and I see where you are going with that. I am going to work further to debug /coalitionresources/application.cfc and see what I can do in there. I really appreciate your time and input.

@gdemaria, I did:

 <!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
    <cfoutput>
 I am in folder: #listFirst(cgi.script_name,"/")#<br>
 Testing against : #secureDirectories#<br>
 Am I logged in? #session.auth.isLoggedIn#<br>
</cfoutput>
   
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <!-----  <cfinclude template="/coalitionresources/" />   ----->
           <h1>You need to login!</h1>
   <cfelse>
      <h1>You are already logged in</h1>  
   </cfif>  
   <cfabort>    
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->

... and it ran fine. (I had to move   <cfset var secureDirectories = "admin,documents"> before my cfoutput ... the local variable wanted to be set before the cfoutput.)

Thus at http://ascassociation.org/coalitionresources/ I get this output:

I am in folder: coalitionresources
Testing against : admin,documents
Am I logged in? false

You are already logged in

Which confuses me -- how am I both logged in and not logged in? Hmm.

Also, you say that I want admin or documents to be the top folder. Are you sure that is true?

My goal is to allow people logged-in with UserRoleID = 1 to view /coalitionresources/documents/ and /coalitionresources/admin/.

But people logged-in with UserRoleID = 5 can view ONLY folder /coalitionresources/documents/.

So we want application.cfc to exist in /coalitionresources/ -- the "top" folder, above /documents/ and /admin/ -- am I thinking about this correctly?

Yet you are saying my CFIF must test for folders /documents/ and /admin/ to be the top documents?

I attach my full application.cfc -- when you get time, let me know what you think? There is no hurry and I really appreciate your time.

Peace,

Eric
application.cfc (located in /coalitionresources/)
 
<!--- 
 Filename: Application.cfc
 Created by: Raymond Camden (ray@camdenfamily.com)
 modified by gdemaria, Eric B
 Please Note: Executes for every page request
--->
<cfcomponent output="false">
 
  <!--- Name the application. --->
  <cfset this.name="ASCassociationCoalitionResources">
  <!--- Turn on session management. --->
  <cfset this.sessionManagement=true>
  
  <cffunction name="onApplicationStart" output="false" returnType="void">
 
    <!--- Any variables set here can be used by all of the application's pages --->
    <cfset APPLICATION.dataSource = "ascassociation">
    <cfset APPLICATION.companyName = "ASC Association">
  
  </cffunction>  
  
  	<!--- METHOD: onSessionStart --->
	 <cffunction name="onSessionStart" returntype="void">
      
      <!--- defined all session variables, so they will always exist ---->
      <cfset session.auth.isLoggedIn  = false>
	  <cfset session.auth.ContactID  = "">
      <cfset session.auth.FirstName   = "">
      <cfset session.auth.LastName    = "">
      <cfset session.auth.Address    = "">
      <cfset session.auth.City    = "">
      <cfset session.auth.State    = "">
      <cfset session.auth.ZIP    = "">
      <cfset session.auth.Email    = "">
      <cfset session.auth.UserLogin    = "">
      <cfset session.auth.UserPassword    = "">
      <cfset session.auth.UserRoleID  = "">
 
 </cffunction>
 <!--- END METHOD: onSessionStart --->
  
 <!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
    <cfoutput>
 I am in folder: #listFirst(cgi.script_name,"/")#<br>
 Testing against : #secureDirectories#<br>
 Am I logged in? #session.auth.isLoggedIn#<br>
</cfoutput>
    
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <!-----  <cfinclude template="/coalitionresources/" />   ----->
           <h1>You need to login!</h1>
   <cfelse>
      <h1>You are already logged in</h1>   
   </cfif>   
   <cfabort>    
        
 </cffunction>
 <!--- END METHOD: onRequestStart --->
 
 </cfcomponent>

Open in new window

0
 
azadisaryevCommented:
good luck with exploring the extending an application.cfc through an applicationproxy.cfc root.
it is a powerful thing to master and a good ting to know, but, as gdemaria pointed out, may well be an overkill in your case... and if i had paid more attention to your code in the first place i would have figured it out, too.

you are still not checking for correct thing in your cfif block, as gdemaria already mentioned.
your <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/")) AND session.auth.isLoggedIn is False> line, and specifically the listFirst() function in it, is the problem - listFirst(cgi.script_name,"/") will always return "coalitionresources" for you since it is the first element in the cgi.script_name /-delimited list.

try this instead:
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>

hth
0
 
Eric BourlandAuthor Commented:
azadisaryev,

It is working. =) Sweet.

>>>listFirst(cgi.script_name,"/") will always return "coalitionresources" for you since it is the first element in the cgi.script_name /-delimited list.

I see what you mean. I see you use listLast instead:
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>

I also added some friendly user text that guides a non-logged in user to the login page at /coalitionresources/

I also figured out that I need to place <cfabort> within the </cfif> tags.

This is making sense to me. =)

However, there is one more problem. I find that if I log in as a user with UserRoleID = 5, then I can still see the /admin/ folder.

This means I need to add some more CFIF logic to my onRequestStart method.

I'm going to work on this for a while then get back to you. I think I know how to do this.

More in a little while.

Thank you again azadisaryev and gdemaria. Hope your day is going well.

Eric
 <!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
    <cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>
 
    <p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>
 
<p>Please <a href="/coalitionresources/">log in</a> as Administrator if you wish to continue here.</p>
 
<p>Thanks, and have a great day.</p>
 
        <cfabort>     
        </cfif>   
        
 </cffunction>
 <!--- END METHOD: onRequestStart --->

Open in new window

0
 
azadisaryevCommented:
just update your cfif statement to be:

<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND (session.auth.isLoggedIn is False OR session.auth.UserRoleID neq 1)>
0
 
gdemariaCommented:
Eric,

>  So we want application.cfc to exist in /coalitionresources/ -- the "top" folder, above /documents/ and /admin/ -- am I thinking about this correctly?   Yet you are saying my CFIF must test for folders /documents/ and /admin/ to be the top documents?

I am saying that your CFIF tests the first level (which is coalitionresources) but you WANT it to be testing the second level (admin  or documents).   So you need to change your CFIF statement.   You can use the example CFIF  I provided above to test the first OR second levels or you can use azadisaryev's code which will always test the LAST folder.   It depends on your structure and where you're going with the folders.  

Either my example or azadisaryev's example should work for you.



To reduce the confusion of your example, you should change this line...

<cfelse>
      <h1>You are already logged in</h1>

to ...

<cfelse>
      <h1>You do not need to login, or you already are logged in.</h1>

The code is showing this line because the folder is not matching your secure directories list.
So it thinks you don't need to login.



0
 
Eric BourlandAuthor Commented:
@gdemaria,

I understand that your original code wanted to answer these questions:

1. is session.auth.isLoggedIn set to false?
2. is the current folder on the list for secure directories?
3. What is in coalitionresources ?

... which makes sense to me. I need to know those answers before I can revise the CFIF statement.

>>>You can use the example CFIF  I provided above to test the first OR second levels or you can use azadisaryev's code which will always test the LAST folder

I think I get you. You are saying that this:

<cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
   or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
   )  and session.auth.isLoggedIn is False>

tests the first OR second levels. Whereas azadisaryev's code tests for whichever folder comes last, in this case, /documents/.

N.B. I read up on the function ListFindNoCase: http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_l_10.html#130765

... so I could try to understand why you are using function ListFindNoCase.

When I use
<!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
<cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
   or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
   )  and session.auth.isLoggedIn is False>
 
        <cfabort>    
        </cfif>  
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->

I get an error:

Invalid CFML construct found on line 47 at column 43.  
ColdFusion was looking at the following text:
>

The CFML compiler was processing:

An expression beginning with (, on line 45, column 7.This message is usually caused by a problem in the expressions structure.
A cfif tag beginning on line 45, column 2.
A cfif tag beginning on line 45, column 2.
 
 
The error occurred in D:\websites\ascassociation.org\coalitionresources\Application.cfc: line 47
 
45 : <cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
46 :    or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
47 :    )  and session.auth.isLoggedIn is False>
48 :  
49 :         <cfabort>  
 

When I use

<!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
    <cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>
 
    <p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>
 
<p>Please <a href="/coalitionresources/">log in</a> as Administrator if you wish to continue here.</p>
 
<p>Thanks, and have a great day.</p>
 
        <cfabort>    
        </cfif>  
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->

the error goes away and the application works.

Yet both methods make sense to me. I wonder if I introduced error when I implemented

<!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
<cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
   or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
   )  and session.auth.isLoggedIn is False>
 
        <cfabort>    
        </cfif>  
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->

Now I am working on a way to allow USERROLEID = 5 to access /coalitionresources/documents/ but not /coalitionresources/admin/

@azadisaryev I found that this:

<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND (session.auth.isLoggedIn is False OR session.auth.UserRoleID neq 1)>

prevented UserRoleID = 5 from seeing /coalitionresources/documents/ ... so I think I need a more complex CFIF statement. What do you think?

azadisaryev and gdemaria thank you again.

Eric
0
 
azadisaryevCommented:
the error you are seeing in gdemaria's example code is purely due to mismatch parenthesis: on closing ) is missing.

and yes, you do need a more complex cfif statement if different users have different access rights to different folders...

something like:
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>
<!--- your message about need to be logged in here ---!>
<cfelse><!--- user is either NOT in a secured folder or is logged in already --->
<cfif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) eq 'admin' AND session.auth.UserRoleID neq 1>
<!--- user is in admin/ folder and is NOT an admin: do whatever needs to be done --->
<cfelse>
<!--- user is NOT in admin/ folder or is logged in as admin: all OK --->
</cfif>
</cfif>
0
 
Eric BourlandAuthor Commented:
cool! working on this

and it is making sense =)
0
 
Eric BourlandAuthor Commented:
azadisaryev,

I stared at gdemaria's code thinking there was something missing.

Now I see the missing ) in this line: <cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))

Also I worked on the CFIF statement on mhy own for a while thinking I could get it myself.

Your solution is more elegant than my clunky, erroneous attempts. But I am not able to get it to work. Right now the CFABORT kicks in and stops the page from loading.

But, I think this is my fault for not explaining properly.

I really need TWO warning messages:

This displays when anybody who is not UserRoleID = 1 or not logged in tries to view folder /coalitionresources/admin/:

<p>Hi. You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> as Administrator.</p>

This displays when anybody who is not UserRoleID = 1 or UserRoleID = 5 or not logged in tries to view folder /coalitionresources/documents/:

<p>Hi. You must be logged in with proper credentials to view the /coalitionresources/documents/ section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.</p>

So maybe I need something like:
<cfif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/")) eq 'admin' AND session.auth.UserRoleID neq 1>
 
<p>Hi. You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> as Administrator.</p>
 
<cfelse>
 
<cfif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/")) eq 'documents' AND session.auth.UserRoleID neq 1 OR session.auth.UserRoleID neq 5>
 
<p>Hi. You must be logged in with proper credentials to view the /coalitionresources/documents/ section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.</p>
 
</cfif>

Open in new window

0
 
gdemariaCommented:
Here it is with a few variables to start you off.   You can use them to set the secure folders and the roles needed to access the admin or the documents area.
<cfset secureDirectories = "admin,documents"> <!---- must be logged in to access any of these --->
<cfset secureAdminRoles = 1>  <!---- must be one of these roles to access admin folder ---->
<cfset secureDocumentRoles = "1,5">  <!---- must be one of these roles to access documents folder ---->
 
<!--- is the directory on the secure list? ---->
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/"))>
  <cfif session.auth.isLoggedIn is False> <!----- user is not logged in ---->
   <p>You are attempting to access a secure area.  
      Please <a href="/coalitionresources/">log in</a>.</p>
    <cfabort>
  <cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) is "admin") and listContains(secureAdminRoles,session.auth.UserRoleID) eq 0>
   <p>You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources. 
      Please <a href="/coalitionresources/">log in</a> as Administrator.</p>
    <cfabort>
  <cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) is "documents") and listContains(secureDocumentRoles,session.auth.UserRoleID) eq 0>
     <p>You must be logged in with proper credentials to view the /coalitionresources/documents/ 
        section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.
     </p>
    <cfabort>
  </cfif>
</cfif> 

Open in new window

0
 
gdemariaCommented:
Here's an updated version.

Removed the unnecessary lcase() function
and changed listContains() to ListFind().   listContains() could result in inpropper matching.

Eric, your code is close but you need to add ( ) paranethesis in your CFIF statement because you have an OR and an AND together.   You are also missing a </cfif>


<cfset secureDirectories = "admin,documents"> <!---- must be logged in to access any of these --->
<cfset secureAdminRoles = "1">  <!---- must be one of these roles to access admin folder ---->
<cfset secureDocumentRoles = "1,5">  <!---- must be one of these roles to access documents folder ---->
 
<!--- is the directory on the secure list? ---->
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/"))>
  <cfif session.auth.isLoggedIn is False> <!----- user is not logged in ---->
   <p>You are attempting to access a secure area.  
      Please <a href="/coalitionresources/">log in</a>.</p>
    <cfabort>
  <cfelseif listLast(getDirectoryFromPath(cgi.script_name),"/")) is "admin") and listFind(secureAdminRoles,session.auth.UserRoleID) eq 0>
   <p>You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources. 
      Please <a href="/coalitionresources/">log in</a> as Administrator.</p>
    <cfabort>
  <cfelseif listLast(getDirectoryFromPath(cgi.script_name),"/")) is "documents") and listFind(secureDocumentRoles,session.auth.UserRoleID) eq 0>
     <p>You must be logged in with proper credentials to view the /coalitionresources/documents/ 
        section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.
     </p>
    <cfabort>
  </cfif>
</cfif> 

Open in new window

0
 
Eric BourlandAuthor Commented:
Holy mackerel! It works. =) And it's be-yoo-tiful.

I edited <cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) is "admin") to

<cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/") is "admin")

and <cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) is "documents") to

<cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/") is "documents")

and that solved two little errors.
0
 
Eric BourlandAuthor Commented:
azadisaryev and gdemaria are, as the kids say, da shizzle. Thanks very much for explaining this patiently.

Vast peace.

Eric B
0
 
Eric BourlandAuthor Commented:
gdemaria -- I'll review the revised code. Thank you. I split points between you and azadisaryev. Thanks to you both.
0
 
gdemariaCommented:
cool, can you post the version you're using for a final review..
0
 
Eric BourlandAuthor Commented:
I found there were a couple of extra parentheses after each cfelseif. It's working really well. =)

<!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">

<cfset secureDirectories = "admin,documents"> <!---- must be logged in to access any of these --->
<cfset secureAdminRoles = "1">  <!---- must be one of these roles to access admin folder ---->
<cfset secureDocumentRoles = "1,5">  <!---- must be one of these roles to access documents folder ---->
 
<!--- is the directory on the secure list? ---->
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/"))>
  <cfif session.auth.isLoggedIn is False> <!----- user is not logged in ---->
   <p>You are attempting to access a secured area.  
      Please <a href="/coalitionresources/">log in</a>.</p>
    <cfabort>
  <cfelseif listLast(getDirectoryFromPath(cgi.script_name),"/") is "admin" and listFind(secureAdminRoles,session.auth.UserRoleID) eq 0>
   <p>You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources.
      Please <a href="/coalitionresources/">log in</a> as Administrator.</p>
    <cfabort>
  <cfelseif listLast(getDirectoryFromPath(cgi.script_name),"/") is "documents" and listFind(secureDocumentRoles,session.auth.UserRoleID) eq 0>
     <p>You must be logged in with proper credentials to view the /coalitionresources/documents/
        section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.
     </p>
    <cfabort>
  </cfif>
</cfif>
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 14
  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now