Solved

How to secure directories using application.cfc?

Posted on 2008-10-15
28
475 Views
Last Modified: 2010-04-21
ColdFusion 8
MS SQL Server 2005

Hi. I'm trying to get ColdFusion to secure a directory on my web server.

I have built a simple login application here:

http://ascassociation.org/coalitionresources/

And it is working fine, using session management. People can log in and log out. I developed this login application using CF WACK 8 by Forta/Camden, Ch. 23. I use session variables to determine whether a user is logged in.

The problem is, people can view the entire web site even if they do not log in. Thus I have established a login application using session management, that secures nothing at all. Great!

I am trying to secure these directories:

http://ascassociation.org/coalitionresources/admin/

http://ascassociation.org/coalitionresources/documents/

I would like only user "Administrator" to be able to view /admin/. All other logged in users can view only /documents/. People who are not logged in should be able to see neither of these directories.

Administrator has UserRoleID = 1. All other users have UserRoleID = 5.

Is there a way, in application.cfc, to secure these directories? Perhaps by leveraging the UserRoleID variable (as noted above)?

I am using this markup (see below) in my application.cfc, but it does not secure the directories. I append my full application.cfc.

VERY grateful for any advice. Thanks again.

Best from Eric




 <!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <cfinclude template="/coalitionresources/" />
           <cfabort>
      </cfif>    
 </cffunction>
 <!--- END METHOD: onRequestStart --->
<!--- 

 Filename: Application.cfc

 Created by: Raymond Camden (ray@camdenfamily.com)

 modified by gdemaria, Eric B

 Please Note: Executes for every page request

--->

<cfcomponent output="false">

 

  <!--- Name the application. --->

  <cfset this.name="ASCassociationCoalitionResources">

  <!--- Turn on session management. --->

  <cfset this.sessionManagement=true>

  

  <cffunction name="onApplicationStart" output="false" returnType="void">

 

    <!--- Any variables set here can be used by all of the application's pages --->

    <cfset APPLICATION.dataSource = "ascassociation">

    <cfset APPLICATION.companyName = "ASC Association">

  

  </cffunction>  

  

  	<!--- METHOD: onSessionStart --->

	 <cffunction name="onSessionStart" returntype="void">

      

      <!--- defined all session variables, so they will always exist ---->

      <cfset session.auth.isLoggedIn  = false>

	  <cfset session.auth.ContactID  = "">

      <cfset session.auth.FirstName   = "">

      <cfset session.auth.LastName    = "">

      <cfset session.auth.Address    = "">

      <cfset session.auth.City    = "">

      <cfset session.auth.State    = "">

      <cfset session.auth.ZIP    = "">

      <cfset session.auth.Email    = "">

      <cfset session.auth.UserLogin    = "">

      <cfset session.auth.UserPassword    = "">

      <cfset session.auth.UserRoleID  = "">

 

 </cffunction>

 <!--- END METHOD: onSessionStart --->

  

 <!--- METHOD: onRequestStart --->

<cffunction name="onRequestStart" output="false" returnType="void">

      <cfset var secureDirectories = "admin,documents">

      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))

        and session.auth.isLoggedIn is False>

           <cfinclude template="/coalitionresources/" />

           <cfabort>

      </cfif>    

 </cffunction>

 <!--- END METHOD: onRequestStart --->

 

 </cfcomponent>

Open in new window

0
Comment
Question by:Eric Bourland
  • 14
  • 7
  • 7
28 Comments
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22727398
the simplest way would be to add an Application.cfm file into the 2 directories you want to secure with the following code in it:

<cfapplication name="ASCassociationCoalitionResources">
<cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>
<p>Access denied</p>
<cfabort>
</cfif>

note that the name of this application is same as in your main Application.cfc.
this also assumes that you are populating the above 2 session variables on successful user login.

hth
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22727771
azadisaryev,

Thanks for this. It makes sense to me and I feel like I am making progress.

I implemented the application.cfc in each directory -- /admin/ and /documents/ -- per your advice. I am getting an error:

"Null Pointers are another name for undefined values."

You can see it firsthand here:

http://ascassociation.org/coalitionresources/admin/

I've been researching "Null Pointers are another name for undefined values." My searches lead me to believe there is something I need to adjust in CF Administrator? Have you seen this error, "Null Pointers are another name for undefined values.", before?

Thanks again.

Eric
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22727805
well, i specifically said application.CFM, not .CFC... Application.cfc component requires a specific structure, with specific methods, while Application.cfm file is basically just a file that gets processed before each and every request.

i suspect that by using Application.cfc instead of Application.cfm in your 2 directories it creates a separate application for those directories, and the variables from your root application (i.e. session vars) are not available in them.

try it with Application.CFM with the code i posted. i must confess, i have not tested it, but in theory it should work as long as the application name is the same.

if for some reason having a separate application.cfm file in the sub-directories does not work, you can try:
1) create an ApplicationProxy.cfc in your root dir with the following code in it:
<cfcomponent name="ApplicationProxy" displayname="ApplicationProxy" extends="Application"></cfcomponent>
2) create Application.CFC in your 2 directories with the following code:
<cfcomponent displayname="Application" extends="ApplicationProxy">
<cffunction name="onRequestStart" access="public" returntype="boolean">
<cfargument name="TargetPage" type="string" required="yes" />
<cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>
<p>Access denied</p>
<cfabort>
</cfif>
<cfreturn true>
</cffunction>
</cfcomponent>

if all else fails, you can just put the cfif block from my first reply at the top of each page in your 2 directories (make sure there are no application.cfm/cfc file in them) - not the best solution as it complicates code maintenance, but it will work...

hth
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22727836
I understand. OK, I changed the filename from application.cfc to application.cfm.

Hmmm, a new error:

The requested scope session has not been enabled.  
Before session variables can be used, the session state management system must be enabled using the cfapplication tag.  
 
The error occurred in D:\websites\ascassociation.org\coalitionresources\admin\Application.cfm: line 3
 
1 : <cfapplication name="ASCassociationCoalitionResources">
2 :
3 : <cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>
4 : <p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>
5 :

you can see it here:
http://ascassociation.org/coalitionresources/admin/

Yet we did use the cfapplication tag. I attach application.cfm below?


This is application.cfm placed in /coalition/admin/:
 

<cfapplication name="ASCassociationCoalitionResources">
 

<cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>

<p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>
 

<p>Please <a href="/coalitionresources/">log in</a> as Administrator if you wish to continue here.</p>
 

<p>Thanks, and have a great day.</p>
 

<cfabort>

</cfif>

Open in new window

0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22727861
ok, you should enable session management in the <cfapplication> tag:
change it to:
<cfapplication name="ASCassociationCoalitionResources" sessionmanagement="true">
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22727895
I see. OK, did that. I understand that I needed to enable session management.

Now a new error:

Element AUTH.ISLOGGEDIN is undefined in SESSION.  

The error occurred in D:\websites\ascassociation.org\coalitionresources\admin\Application.cfm: line 3
 
1 : <cfapplication name="ASCassociationCoalitionResources" sessionmanagement="true">
2 :
3 : <cfif session.auth.isLoggedIn is false OR session.auth.UserRoleID neq 1>
4 : <p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>
5 :

http://ascassociation.org/coalitionresources/admin/

I need to define element AUTH.ISLOGGEDIN in the session variable. I added to application.cfm this line:

 <cfset session.auth.IsLoggedIn  = "">

But the error persists.

Do I need to put that CFIF block at the top of every page? If that is how it must be, I understand.

Thanks again!

Eric
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22727939
did you try the ApplicationProxy.cfc way i posted? try that - i guess having an Application.cfm inside the sub-directory, even with same application name as the app in the root does not really work (i will try and test it when i have a minute...)

i have this setup (Application.cfc + ApplicationProxy.cfc in root and Application.cfc extending the ApplicationProxy.cfc in sub-folder) working fine on several sites... so give that a try before you resort to including a cfif block at the top of each page in your subfolders.

hth
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22727948
Got it. I am working on this....
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 22730495
Eric, the approach you have in your question is a reasonable and clean method.  My feeling is that you should just debug it and not change it.

Given this code in your onRequestStart function, there are only a few items keeping you from getting into the <cfabort> clause.

1. is session.auth.isLoggedIn set to false?
2. is the current folder on the list for secure directories?
3. What is in coalitionresources ?

      <cfset var secureDirectories = "admin,documents">
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <cfinclude template="/coalitionresources/" />
           <cfabort>
      </cfif>    


To find out the answers to these questions do this..

Substitute that block of code in your onRequestStart function with this block of code.  The page won't run, but it will tell you your starting values of all the conditions you're testing for.

<cfoutput>
 I am in folder: #listFirst(cgi.script_name,"/")#<br>
 Testing against : #secureDirectories#<br>
 Am I logged in? #session.auth.isLoggedIn#<br>
</cfoutput>
      <cfset var secureDirectories = "admin,documents">
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <!-----  <cfinclude template="/coalitionresources/" />   ----->
           <h1>You need to login!</h1>
   <cfelse>
      <h1>You are already logged in</h1>  
   </cfif>  
   <cfabort>

0
 
LVL 39

Expert Comment

by:gdemaria
ID: 22730529
When you do that, you will see that this..

listFirst(cgi.script_name,"/")

returns ...   colocationResources   as your top folder.

You are testing for  admin or documents to be your top folder.

that's why the CFIF statement isn't working, you are now one extra level down.   The code would work if you went to  
               http://ascassociation.org/admin/
because /admin is a top level folder.

In order for it to work, you need to change the CFIF statement to check either the second level folder, or check ALL level folders  or  perhaps first and second level folders.

0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22730923
gdemaria,

That is interesting. I'll work with this for a while and get back to you later today. Thanks as always. Hope you are great.

Eric
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 22730983
Eric,
.. doing pretty well thanks :)

Here's a quick fix.   Replace your CFIF with this..

<cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
   or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
   )  and session.auth.isLoggedIn is False>

This statement will check the top folder and the second folder to see if the folder name matches the ones you have on the list.

0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22732792
@azadisaryev -- the applicationproxy.cfc is an interesting solution and I see where you are going with that. I am going to work further to debug /coalitionresources/application.cfc and see what I can do in there. I really appreciate your time and input.

@gdemaria, I did:

 <!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
    <cfoutput>
 I am in folder: #listFirst(cgi.script_name,"/")#<br>
 Testing against : #secureDirectories#<br>
 Am I logged in? #session.auth.isLoggedIn#<br>
</cfoutput>
   
      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
        and session.auth.isLoggedIn is False>
           <!-----  <cfinclude template="/coalitionresources/" />   ----->
           <h1>You need to login!</h1>
   <cfelse>
      <h1>You are already logged in</h1>  
   </cfif>  
   <cfabort>    
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->

... and it ran fine. (I had to move   <cfset var secureDirectories = "admin,documents"> before my cfoutput ... the local variable wanted to be set before the cfoutput.)

Thus at http://ascassociation.org/coalitionresources/ I get this output:

I am in folder: coalitionresources
Testing against : admin,documents
Am I logged in? false

You are already logged in

Which confuses me -- how am I both logged in and not logged in? Hmm.

Also, you say that I want admin or documents to be the top folder. Are you sure that is true?

My goal is to allow people logged-in with UserRoleID = 1 to view /coalitionresources/documents/ and /coalitionresources/admin/.

But people logged-in with UserRoleID = 5 can view ONLY folder /coalitionresources/documents/.

So we want application.cfc to exist in /coalitionresources/ -- the "top" folder, above /documents/ and /admin/ -- am I thinking about this correctly?

Yet you are saying my CFIF must test for folders /documents/ and /admin/ to be the top documents?

I attach my full application.cfc -- when you get time, let me know what you think? There is no hurry and I really appreciate your time.

Peace,

Eric
application.cfc (located in /coalitionresources/)
 

<!--- 

 Filename: Application.cfc

 Created by: Raymond Camden (ray@camdenfamily.com)

 modified by gdemaria, Eric B

 Please Note: Executes for every page request

--->

<cfcomponent output="false">
 

  <!--- Name the application. --->

  <cfset this.name="ASCassociationCoalitionResources">

  <!--- Turn on session management. --->

  <cfset this.sessionManagement=true>

  

  <cffunction name="onApplicationStart" output="false" returnType="void">
 

    <!--- Any variables set here can be used by all of the application's pages --->

    <cfset APPLICATION.dataSource = "ascassociation">

    <cfset APPLICATION.companyName = "ASC Association">

  

  </cffunction>  

  

  	<!--- METHOD: onSessionStart --->

	 <cffunction name="onSessionStart" returntype="void">

      

      <!--- defined all session variables, so they will always exist ---->

      <cfset session.auth.isLoggedIn  = false>

	  <cfset session.auth.ContactID  = "">

      <cfset session.auth.FirstName   = "">

      <cfset session.auth.LastName    = "">

      <cfset session.auth.Address    = "">

      <cfset session.auth.City    = "">

      <cfset session.auth.State    = "">

      <cfset session.auth.ZIP    = "">

      <cfset session.auth.Email    = "">

      <cfset session.auth.UserLogin    = "">

      <cfset session.auth.UserPassword    = "">

      <cfset session.auth.UserRoleID  = "">

 

 </cffunction>

 <!--- END METHOD: onSessionStart --->

  

 <!--- METHOD: onRequestStart --->

<cffunction name="onRequestStart" output="false" returnType="void">

      <cfset var secureDirectories = "admin,documents">

    <cfoutput>

 I am in folder: #listFirst(cgi.script_name,"/")#<br>

 Testing against : #secureDirectories#<br>

 Am I logged in? #session.auth.isLoggedIn#<br>

</cfoutput>

    

      <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))

        and session.auth.isLoggedIn is False>

           <!-----  <cfinclude template="/coalitionresources/" />   ----->

           <h1>You need to login!</h1>

   <cfelse>

      <h1>You are already logged in</h1>   

   </cfif>   

   <cfabort>    

        

 </cffunction>

 <!--- END METHOD: onRequestStart --->
 

 </cfcomponent>

Open in new window

0
 
LVL 27

Accepted Solution

by:
azadisaryev earned 250 total points
ID: 22732971
good luck with exploring the extending an application.cfc through an applicationproxy.cfc root.
it is a powerful thing to master and a good ting to know, but, as gdemaria pointed out, may well be an overkill in your case... and if i had paid more attention to your code in the first place i would have figured it out, too.

you are still not checking for correct thing in your cfif block, as gdemaria already mentioned.
your <cfif listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/")) AND session.auth.isLoggedIn is False> line, and specifically the listFirst() function in it, is the problem - listFirst(cgi.script_name,"/") will always return "coalitionresources" for you since it is the first element in the cgi.script_name /-delimited list.

try this instead:
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>

hth
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 3

Author Comment

by:Eric Bourland
ID: 22733129
azadisaryev,

It is working. =) Sweet.

>>>listFirst(cgi.script_name,"/") will always return "coalitionresources" for you since it is the first element in the cgi.script_name /-delimited list.

I see what you mean. I see you use listLast instead:
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>

I also added some friendly user text that guides a non-logged in user to the login page at /coalitionresources/

I also figured out that I need to place <cfabort> within the </cfif> tags.

This is making sense to me. =)

However, there is one more problem. I find that if I log in as a user with UserRoleID = 5, then I can still see the /admin/ folder.

This means I need to add some more CFIF logic to my onRequestStart method.

I'm going to work on this for a while then get back to you. I think I know how to do this.

More in a little while.

Thank you again azadisaryev and gdemaria. Hope your day is going well.

Eric
 <!--- METHOD: onRequestStart --->

<cffunction name="onRequestStart" output="false" returnType="void">

      <cfset var secureDirectories = "admin,documents">

    <cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>
 

    <p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>

 

<p>Please <a href="/coalitionresources/">log in</a> as Administrator if you wish to continue here.</p>

 

<p>Thanks, and have a great day.</p>
 

        <cfabort>     

        </cfif>   

        

 </cffunction>

 <!--- END METHOD: onRequestStart --->

Open in new window

0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22733188
just update your cfif statement to be:

<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND (session.auth.isLoggedIn is False OR session.auth.UserRoleID neq 1)>
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 22733212
Eric,

>  So we want application.cfc to exist in /coalitionresources/ -- the "top" folder, above /documents/ and /admin/ -- am I thinking about this correctly?   Yet you are saying my CFIF must test for folders /documents/ and /admin/ to be the top documents?

I am saying that your CFIF tests the first level (which is coalitionresources) but you WANT it to be testing the second level (admin  or documents).   So you need to change your CFIF statement.   You can use the example CFIF  I provided above to test the first OR second levels or you can use azadisaryev's code which will always test the LAST folder.   It depends on your structure and where you're going with the folders.  

Either my example or azadisaryev's example should work for you.



To reduce the confusion of your example, you should change this line...

<cfelse>
      <h1>You are already logged in</h1>

to ...

<cfelse>
      <h1>You do not need to login, or you already are logged in.</h1>

The code is showing this line because the folder is not matching your secure directories list.
So it thinks you don't need to login.



0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22733923
@gdemaria,

I understand that your original code wanted to answer these questions:

1. is session.auth.isLoggedIn set to false?
2. is the current folder on the list for secure directories?
3. What is in coalitionresources ?

... which makes sense to me. I need to know those answers before I can revise the CFIF statement.

>>>You can use the example CFIF  I provided above to test the first OR second levels or you can use azadisaryev's code which will always test the LAST folder

I think I get you. You are saying that this:

<cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
   or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
   )  and session.auth.isLoggedIn is False>

tests the first OR second levels. Whereas azadisaryev's code tests for whichever folder comes last, in this case, /documents/.

N.B. I read up on the function ListFindNoCase: http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_l_10.html#130765

... so I could try to understand why you are using function ListFindNoCase.

When I use
<!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
<cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
   or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
   )  and session.auth.isLoggedIn is False>
 
        <cfabort>    
        </cfif>  
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->

I get an error:

Invalid CFML construct found on line 47 at column 43.  
ColdFusion was looking at the following text:
>

The CFML compiler was processing:

An expression beginning with (, on line 45, column 7.This message is usually caused by a problem in the expressions structure.
A cfif tag beginning on line 45, column 2.
A cfif tag beginning on line 45, column 2.
 
 
The error occurred in D:\websites\ascassociation.org\coalitionresources\Application.cfc: line 47
 
45 : <cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
46 :    or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
47 :    )  and session.auth.isLoggedIn is False>
48 :  
49 :         <cfabort>  
 

When I use

<!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
    <cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>
 
    <p>Hi. You must be logged in as Administrator to view this section of ASC Coalition Resources.</p>
 
<p>Please <a href="/coalitionresources/">log in</a> as Administrator if you wish to continue here.</p>
 
<p>Thanks, and have a great day.</p>
 
        <cfabort>    
        </cfif>  
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->

the error goes away and the application works.

Yet both methods make sense to me. I wonder if I introduced error when I implemented

<!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">
      <cfset var secureDirectories = "admin,documents">
<cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))
   or (listLen(cgi.script_name,"/") gt 1 and listFindNoCase(secureDirectories,listGetAt(cgi.script_name,2,"/"))
   )  and session.auth.isLoggedIn is False>
 
        <cfabort>    
        </cfif>  
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->

Now I am working on a way to allow USERROLEID = 5 to access /coalitionresources/documents/ but not /coalitionresources/admin/

@azadisaryev I found that this:

<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND (session.auth.isLoggedIn is False OR session.auth.UserRoleID neq 1)>

prevented UserRoleID = 5 from seeing /coalitionresources/documents/ ... so I think I need a more complex CFIF statement. What do you think?

azadisaryev and gdemaria thank you again.

Eric
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22734105
the error you are seeing in gdemaria's example code is purely due to mismatch parenthesis: on closing ) is missing.

and yes, you do need a more complex cfif statement if different users have different access rights to different folders...

something like:
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/")) AND session.auth.isLoggedIn is False>
<!--- your message about need to be logged in here ---!>
<cfelse><!--- user is either NOT in a secured folder or is logged in already --->
<cfif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) eq 'admin' AND session.auth.UserRoleID neq 1>
<!--- user is in admin/ folder and is NOT an admin: do whatever needs to be done --->
<cfelse>
<!--- user is NOT in admin/ folder or is logged in as admin: all OK --->
</cfif>
</cfif>
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22734124
cool! working on this

and it is making sense =)
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22734738
azadisaryev,

I stared at gdemaria's code thinking there was something missing.

Now I see the missing ) in this line: <cfif (  listFindNoCase(secureDirectories,listFirst(cgi.script_name,"/"))

Also I worked on the CFIF statement on mhy own for a while thinking I could get it myself.

Your solution is more elegant than my clunky, erroneous attempts. But I am not able to get it to work. Right now the CFABORT kicks in and stops the page from loading.

But, I think this is my fault for not explaining properly.

I really need TWO warning messages:

This displays when anybody who is not UserRoleID = 1 or not logged in tries to view folder /coalitionresources/admin/:

<p>Hi. You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> as Administrator.</p>

This displays when anybody who is not UserRoleID = 1 or UserRoleID = 5 or not logged in tries to view folder /coalitionresources/documents/:

<p>Hi. You must be logged in with proper credentials to view the /coalitionresources/documents/ section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.</p>

So maybe I need something like:
<cfif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/")) eq 'admin' AND session.auth.UserRoleID neq 1>
 

<p>Hi. You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> as Administrator.</p>
 

<cfelse>
 

<cfif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/")) eq 'documents' AND session.auth.UserRoleID neq 1 OR session.auth.UserRoleID neq 5>
 

<p>Hi. You must be logged in with proper credentials to view the /coalitionresources/documents/ section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.</p>
 

</cfif>

Open in new window

0
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 250 total points
ID: 22734863
Here it is with a few variables to start you off.   You can use them to set the secure folders and the roles needed to access the admin or the documents area.
<cfset secureDirectories = "admin,documents"> <!---- must be logged in to access any of these --->

<cfset secureAdminRoles = 1>  <!---- must be one of these roles to access admin folder ---->

<cfset secureDocumentRoles = "1,5">  <!---- must be one of these roles to access documents folder ---->
 

<!--- is the directory on the secure list? ---->

<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/"))>

  <cfif session.auth.isLoggedIn is False> <!----- user is not logged in ---->

   <p>You are attempting to access a secure area.  

      Please <a href="/coalitionresources/">log in</a>.</p>

    <cfabort>

  <cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) is "admin") and listContains(secureAdminRoles,session.auth.UserRoleID) eq 0>

   <p>You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources. 

      Please <a href="/coalitionresources/">log in</a> as Administrator.</p>

    <cfabort>

  <cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) is "documents") and listContains(secureDocumentRoles,session.auth.UserRoleID) eq 0>

     <p>You must be logged in with proper credentials to view the /coalitionresources/documents/ 

        section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.

     </p>

    <cfabort>

  </cfif>

</cfif> 

Open in new window

0
 
LVL 39

Expert Comment

by:gdemaria
ID: 22735009
Here's an updated version.

Removed the unnecessary lcase() function
and changed listContains() to ListFind().   listContains() could result in inpropper matching.

Eric, your code is close but you need to add ( ) paranethesis in your CFIF statement because you have an OR and an AND together.   You are also missing a </cfif>


<cfset secureDirectories = "admin,documents"> <!---- must be logged in to access any of these --->

<cfset secureAdminRoles = "1">  <!---- must be one of these roles to access admin folder ---->

<cfset secureDocumentRoles = "1,5">  <!---- must be one of these roles to access documents folder ---->

 

<!--- is the directory on the secure list? ---->

<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/"))>

  <cfif session.auth.isLoggedIn is False> <!----- user is not logged in ---->

   <p>You are attempting to access a secure area.  

      Please <a href="/coalitionresources/">log in</a>.</p>

    <cfabort>

  <cfelseif listLast(getDirectoryFromPath(cgi.script_name),"/")) is "admin") and listFind(secureAdminRoles,session.auth.UserRoleID) eq 0>

   <p>You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources. 

      Please <a href="/coalitionresources/">log in</a> as Administrator.</p>

    <cfabort>

  <cfelseif listLast(getDirectoryFromPath(cgi.script_name),"/")) is "documents") and listFind(secureDocumentRoles,session.auth.UserRoleID) eq 0>

     <p>You must be logged in with proper credentials to view the /coalitionresources/documents/ 

        section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.

     </p>

    <cfabort>

  </cfif>

</cfif> 

Open in new window

0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22735025
Holy mackerel! It works. =) And it's be-yoo-tiful.

I edited <cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) is "admin") to

<cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/") is "admin")

and <cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/"))) is "documents") to

<cfelseif lcase(listLast(getDirectoryFromPath(cgi.script_name),"/") is "documents")

and that solved two little errors.
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 31506508
azadisaryev and gdemaria are, as the kids say, da shizzle. Thanks very much for explaining this patiently.

Vast peace.

Eric B
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22735050
gdemaria -- I'll review the revised code. Thank you. I split points between you and azadisaryev. Thanks to you both.
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 22735062
cool, can you post the version you're using for a final review..
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 22735098
I found there were a couple of extra parentheses after each cfelseif. It's working really well. =)

<!--- METHOD: onRequestStart --->
<cffunction name="onRequestStart" output="false" returnType="void">

<cfset secureDirectories = "admin,documents"> <!---- must be logged in to access any of these --->
<cfset secureAdminRoles = "1">  <!---- must be one of these roles to access admin folder ---->
<cfset secureDocumentRoles = "1,5">  <!---- must be one of these roles to access documents folder ---->
 
<!--- is the directory on the secure list? ---->
<cfif listFindNoCase(secureDirectories,listLast(getDirectoryFromPath(cgi.script_name),"/"))>
  <cfif session.auth.isLoggedIn is False> <!----- user is not logged in ---->
   <p>You are attempting to access a secured area.  
      Please <a href="/coalitionresources/">log in</a>.</p>
    <cfabort>
  <cfelseif listLast(getDirectoryFromPath(cgi.script_name),"/") is "admin" and listFind(secureAdminRoles,session.auth.UserRoleID) eq 0>
   <p>You must be logged in as Administrator to view the /coalitionresources/admin/ section of ASC Coalition Resources.
      Please <a href="/coalitionresources/">log in</a> as Administrator.</p>
    <cfabort>
  <cfelseif listLast(getDirectoryFromPath(cgi.script_name),"/") is "documents" and listFind(secureDocumentRoles,session.auth.UserRoleID) eq 0>
     <p>You must be logged in with proper credentials to view the /coalitionresources/documents/
        section of ASC Coalition Resources. Please <a href="/coalitionresources/">log in</a> with proper credentials.
     </p>
    <cfabort>
  </cfif>
</cfif>
       
 </cffunction>
 <!--- END METHOD: onRequestStart --->
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article  is about submitting  form through  ColdFusion.Ajax.submitForm to the action page and send a response back in JSON format which later can be decoded using ColdFusion.JSON.decode. By this way you can avoid the usual page refresh for subm…
Hi, I will be creating today a basic tutorial on how we can create a Mail Custom Function and use it where ever we want. The main advantage about creating a custom function is that we can accommodate a range of arguments to pass to the Function and …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now