Jim Davis wrote: > It seems like it might be overkill to tag every single page (since then you > would have to provide permissions to every single page). Are your needs > really so complex that they can't be managed with groups?
Well, I need the application to know what file is what because it is going to return structures with "rights" (think windows NT rights) flags back to the calling template based on permissions. So, let's say a page can post, edit, or delete a topic, when the page is accessed, it will check the current user's permissions and will set any "flag" variables (or rights) to the template and let the template know, for lack of better words, what it's allowed to do. Does that make sense? > In other words you define a group (say "editor" or "admin") and then assign > sets of pages to that one group. In fact assigning "pages" to groups is > actually a bit too rough for my tastes: I would want to assign functionality > to groups and check that within the page. > It seems to me there are plenty of cases where a single template needs to > display things for many different entitlements... a simple example is a > navigation component/tag. It's common for the navigation of a page to > change based on the permissions of the user. Like I mentioned above, the application will "tell" the page what it's allowed to do based on the permissions of the user logged in. How the system knows what permissions are associated with each different page is another portion I have not explained, but it's not really that important right now. > I would probably not trust the CGI variables (which are web server > dependent) for this. Instead use the built in CF functions: > getCurrentTemplatePath() for example. Ok, now, my question here is if I use that function, what template is it going to return? Remember, this function is going to be called from a custom tag that is located within the Application.cfm file. So will it return the tag pathname, the application.cfm pathname, or the actual file that was requested by the user? Also, why wouldn't you trust the web server from providing the correct file name to the CF server? > As for which is "more secure" - neither. Where you put your code has > nothing to do with the security of the system. The application.cfm solution > will DEFINITELY make the code more maintainable... and maintainable code is > less buggy than un-maintainable code. I think what I meant to say by secure was is there a way to get around my tags. You kinda answered my question when you suggested not to trust the CGI variables. > I know that I've been plugging this lately but you might might want to check > out the Security System in the DP Libraries (long URL): Thank you for posting the URL to your library. I saw you mention something about it in one of the COAL posts but I didn't see any urls. I will definately check out what you've done. > http://www.depressedpress.com/depressedpress/Content/Development/ColdFusion/ > DPLibraries/Index.cfm In regards to everything you wrote explaining your security system (I won't quote it all), there is one thing which I don't think it addresses which is specifically what I am looking for: In all the security systems that I've seen so far (even the built in one), they only assign permissions to files. Whether it's done by groups, roles, whatever, it still only says who can access a file. It doesn't really address the fact that pages and perform multiple duties. One thing I refuse to do is hard-code stuff like: if admin let me delete this message if moderator or admin let me edit this message if user i can't do crap endif I want my system to be completely dynamic such that it will keep track of what functions (or entitlements like you called it) each page can perform (like my example with the message posting page above), and who is allowed to perform each of those functions for that page. Now, how does the system know what tasks a page can perform? The page tells it.... in a tag. <breaking the train of thought> aw crap. I think I just answered my question as to why I have to put a tag at the top of each page. Ok, you know when you have one of those moments where you typed out an entire message about a question and then answered it at the very end. Well, I've just done that. Instead of retyping, I'm just going to continue... </breaking the train of thought> Ok, nevermind, you can ignore my questions about putting the tag in the application.cfm file. I still have to put it in the top of each file because it's in that tag that you specify what rights, or entitlements, that page has and then those rights are registered with the application and then assigned permissions. Then, when that page is requested by a user, the system checks to see if that user has permissions to access the file *and* what rights the user has permission to. Based on those permissions, the application then tells the calling page what it's allowed to do. Does that make any sense at all? I can rewrite it out if you're curious. mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217318 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
