Re: Using NT user database with CF

Fri, 02 Dec 2005 08:22:16 -0800 

I use the same model that Ian does. I then maintain a database within the 
website that assigns permissions based on the username. The database contains 
fields for the username, and one field for each directory on the website, with 
either a simple yes or no value in each field.

So, if #username# does not have permissions for a given directory on my 
website, they are <CFLOCATION>'d to an access request page where they can 
request access to the directory in question.

On my application.cfm page, I have the following:

<!--- Remove the domain name from the cgi.auth_user --------->
<CFSET VisitorName = #lcase(removeChars(cgi.auth_user, 1, 10))#>

<!--- Determine the current directory --------->
<CFSET CurrentDirectory = #removeChars(CF_Template_Path, 1, 19)#>
<CFSET CurrentDirectory = #spanexcluding(currentdirectory, "\")#>



<CFIF #CurrentDirectory# NEQ "default.cfm">
<!--- The user is not at the home page ---------------------->
<cfquery name="AccessRights" datasource="Security" dbtype="ODBC">
        SELECT VisitorName
        FROM tblAccess
        WHERE VisitorName = '#VisitorName#'
        AND #CurrentDirectory# = Yes
</cfquery>



<CFIF #AccessRights.RecordCount# EQ 0>
<!--- No username with rights in this dir, send to Access Request Page--->
        <cflocation url="http://#cgi.SERVER_NAME#/security/ARP.cfm";>
</CFIF>
</CFIF>



By placing the code in the application.cfm page, I defeat efforts of users to 
change the username by using the address line. So, something like this would 
not allow an end user to impresonate another user: 
http://website.com?visitorname="jblow";


It may not be the fastest or most elegant solution, but it works like a charm 
for us, and satisfies the security police here at work.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225945
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Reply via email to