• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 245
  • Last Modified:

Coldfusion Privleges

Hi There.

I have a website where there are sections that require to be logged in before accessing.  There are also sections that do not require a users to be logged in.  

Is there a way to specify which pages require to be logged in and what pages that do not required to be logged in without breaking it out into two separate applications?

Thanks in Advance.
0
SFTProd
Asked:
SFTProd
  • 4
  • 3
1 Solution
 
gdemariaCommented:

Yes, there are a bunch of ways of doing this.

One way is to use folder/directories under your web root.  Some folders are all secure others are open.    You can also do it page by page.


If you're going to do it page by page, you can add a line to the beginning of every file that tests the level of priviledges that you need for that page.  


<cfif val(session.user_id) eq 0>  <!----- if user not logged in, the go to login page ---->
    <cfinclude template="login.cfm">
</cfif>

If you do it at the folder level, you could do it in the application.cfm/.cfc file...

 --- the folders on the list are secure ----
<cfif listFindNoCase("secure,admin,cart",ListFind(cgi.script_name,"/\")) and val(session.user_id) eq 0>
   <cfinclude template="login.cfm">
</cfif>


0
 
SFTProdAuthor Commented:
I think your solution will work.  However, I am using the CFLOGIN framework.  I am not sure this will work with it since I cannot access any sub-folders under the application.cfc and have it display properly without logging them in using cflogin.

What I am trying to do is access pages under the sub-folders without logging the user in.

Do you know how we can achieve this?

Thanks.
0
 
gdemariaCommented:
> However, I am using the CFLOGIN framework.

How would this be a problem?   You didn't say you have to manage roles, you just need to know if they are logged in or not.    I am sure CFLOGIN has a way to let you know if someone is logged in or not..


>  I am not sure this will work with it since I cannot access any sub-folders under the application.cfc

I don't know what you mean by this.   How is it that you cannot access folders, or do you mean you want to make the users login in order to access a folder ?


> What I am trying to do is access pages under the sub-folders without logging the user in.

If you have a folder that all pages may be accessed without a login, you can use the CFIF statement in my first post, just change it to be insecure list (instead of a secure list) and all other will be secured..

<cfif listFindNoCase("secure,admin,cart",ListFind(cgi.script_name,"/\")) and val(session.user_id) eq 0>
   <cfinclude template="login.cfm">
</cfif>

0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
SFTProdAuthor Commented:
I have not built out the security module yet.  As a result, I am not yet using roles.  For the time being, I am trying to include like the following

Folder Structure (only logged in user can access cfm files)
/ applicaton.cfc
/components/header.cfm


Folder Structure (everybody can access cfm files)
/guest/application.cfc
/guest/index.cfm

Within the second folder structure, I have a different application.cfc which defines it as a new application that does not check for login or not.  As a result, everybody can access the cfm files in it.  When I try to include something like <cfinclude template="../components/header.cfm">, I cannot because the other application requires me to login before it serves the page.  Instead, it serves me the login page.

I am trying to find a way of making exceptions on what pages can be accessed and in the main folder structure (1st one above) from the 2nd one above.

Thanks.
0
 
gdemariaCommented:

I assume your application.cfc files are very similar, except for the login.   I think you should have only one application.cfc file for an app, so I would merge them.

Then use the code I provided to test to see if a file being accessed is under the secure folder.  

That should do it..
0
 
SFTProdAuthor Commented:
The problem is that the cflogin tag completely prevents the pages from loading if they are not logged in.  I am wondering if there is a way to specify a list of pages that are never locked no matter if they are logged in or not.
0
 
gdemariaCommented:
> cflogin tag completely prevents the pages from loading if they are not logged in

Your code is preventing this, not the cflogin tag.   You need to add some type of strategy as discussed above to allow the page through if desired.

Something like

 <cfif  SecurePage and NOT LOggedIn>
     go to login
 </cfif>


If you'd like help with your specific code, please post the code..

0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now