Just be aware of the age old CFCOOKIE and CFLOCATION problems, if you are using them.
The actual architecture of an app module like this can take several shapes and forms, from posting the page to itself and working stuff out or using Fusebox or indeen location or includes.... If the code is parsed by the server and as long as the server is patched I can see no way of the getting past this. Also, but the underscore in the variable user_role? Neil Clark Team Macromedia http://www.macromedia.com/go/team Announcing Macromedia MX!! http://www.macromedia.com/software/trial/. -----Original Message----- From: Justin Scott [mailto:[EMAIL PROTECTED]] Sent: 23 May 2002 16:16 To: CF-Talk Subject: Re: page security using <cfabort> You might think about using a CFLOCATION instead to redirect to an "unauthorized" page that will have a full set of HTML. Using CFABORT in the middle of the page like that will cause the closing tags to get cut off and some browsers will freak out and not even display the message at all. As for the security itself, it looks ok, but there's no way to tell for certain if something is "secure" or not without seeing all of the code that touches those variables. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com ----- Original Message ----- From: "Jeff Brown" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, May 23, 2002 11:07 AM Subject: page security using <cfabort> > I am planning on adding role based page level security to my application by > adding this chunk of code to every page: > > <body> > <cfif ListFindNoCase("AllowedRole1,AllowedRole2,AllowedRole3", > #session.user_role#, ",") EQ 0> > You are not authorized to view this page. <cfabort> > </cfif> > > .. [page content] ... > > </body> > > Session.user_role is set when the user logs in to the app. Is this a fairly > standard way to do it? Certain pages should not be viewable by certain > roles, can anyone think of an instance where a user could get past this? > TIA. > > v/r, > Jeff > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
