Hi,
I wonder if anyone can help me with this please.
I have a system which shows data to schools and advisers. Advisers can see
all data about everything. Schools can only see data from their own school.
I have a login system (standard out of the book type)
When an adviserl logs in they are directed to a page that asks them to
select the school they are looking for.
When a school logs in they are directed to their school only.
The problem is how do I maintain this when the school user navigates around
the site and how do I stop schools from hacking the URL and going to a
different schools data ...?
Regards - Paul
My login action script follows .....
<cfset Page=#url.page_id#>
<CFQUERY NAME= "password_query" DATASOURCE= "WebUserDSN">
SELECT * FROM user_details
WHERE user_details.roles ='#trim(form.select_user)#'
AND user_details.password='#trim(form.entered_password)#'
AND user_details.users_name='#trim(form.entered_UserName)#'
</CFQUERY>
<cfoutput>
<cfif password_query.RecordCount is 0>
<cffile action="Append"
file="#application.log#"
output="#DateFormat("#Now()#")#, #TimeFormat("#Now()#")# ACCESS
DENIED! username = #trim(form.select_user)# Password
= #trim(form.entered_password)#.">
<cflocation url="../loggedin/password.cfm?page_id=#page#&nl=1">
<cfelse>
<cffile action="Append"
file="#application.log#"
output="#DateFormat("#Now()#")#, #TimeFormat("#Now()#")#,
#password_query.users_name# LOGGED IN">
<cflock timeout="10"
type = "exclusive"
scope = "session">
<cfset session.loggedin="1">
<cfset session.user
= "#password_query.users_name#">
<cfset session.access_rights
= "#password_query.roles#">
</cflock>
<cfif password_query.roles eq 'Head Teacher'>
<cfset session.head ="1">
<cfset
session.school=encrypt(#password_query.access#, #application.key#)>
</cfif>
<cflocation url="../#Page#">
</cfif>
</cfoutput>
*************************************************************************************************
The information contained within this e-mail (and any attachment) sent by Birmingham
City Council is confidential and may be legally privileged. It is intended only for
the named recipient or entity to whom it is addressed. If you are not the intended
recipient please accept our apologies and notify the sender immediately, or telephone
+(44) 121 303 6666. Unauthorised access, use, disclosure, storage or copying is not
permitted and may be unlawful. Any e-mail including its content may be monitored and
used by Birmingham City Council for reasons of security and for monitoring internal
compliance with the office policy on staff use. E-mail blocking software may also be
used. Any views or opinions presented are solely those of the originator and do not
necessarily represent those of Birmingham City Council. We cannot guarantee that this
message or any attachment is virus free or has not been intercepted and amended.
*************************************************************************************************
--
These lists are syncronised with the CFDeveloper forum at
http://forum.cfdeveloper.co.uk/
Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/
CFDeveloper Sponsors and contributors:-
*Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by
activepdf.com*
*Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com*
*Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com*
To unsubscribe, e-mail: [EMAIL PROTECTED]
