I usually set a session.accessLevel as they are logged in. So, for example,
"session.accessLevel EQ 1" means they are an administrator with rights to see
everything. In the pages a non-admin user shouldn't see, check if "session.accessLevel
EQ 1". If not, throw them out.
In your case, if it's a school, you could set a session variable to their school ID.
In your code / queries, check against this to make sure they can only access the data
they're allowed to see.
It's a bit crude but works!
Damien
>
> Hi,
>
> I wonder if anyone can help me with this please.
>
> I have a system which shows data to schools and advisers. Advisers can see
> all data about everything. Schools can only see data from their own school.
> I have a login system (standard out of the book type)
>
> When an adviserl logs in they are directed to a page that asks them to
> select the school they are looking for.
> When a school logs in they are directed to their school only.
>
> The problem is how do I maintain this when the school user navigates around
> the site and how do I stop schools from hacking the URL and going to a
> different schools data ...?
>
> Regards - Paul
>
> My login action script follows .....
>
>
> <cfset Page=#url.page_id#>
> <CFQUERY NAME= "password_query" DATASOURCE= "WebUserDSN">
> SELECT * FROM user_details
> WHERE user_details.roles ='#trim(form.select_user)#'
> AND user_details.password='#trim(form.entered_password)#'
> AND user_details.users_name='#trim(form.entered_UserName)#'
> </CFQUERY>
>
> <cfoutput>
> <cfif password_query.RecordCount is 0>
> <cffile action="Append"
> file="#application.log#"
> output="#DateFormat("#Now()#")#, #TimeFormat("#Now()#")# ACCESS
> DENIED! username = #trim(form.select_user)# Password
> = #trim(form.entered_password)#.">
> <cflocation url="../loggedin/password.cfm?page_id=#page#&nl=1">
> <cfelse>
> <cffile action="Append"
> file="#application.log#"
> output="#DateFormat("#Now()#")#, #TimeFormat("#Now()#")#,
> #password_query.users_name# LOGGED IN">
> <cflock timeout="10"
> type = "exclusive"
> scope = "session">
> <cfset session.loggedin="1">
> <cfset session.user
> = "#password_query.users_name#">
> <cfset session.access_rights
> = "#password_query.roles#">
> </cflock>
> <cfif password_query.roles eq 'Head Teacher'>
> <cfset session.head ="1">
> <cfset
> session.school=encrypt(#password_query.access#, #application.key#)>
> </cfif>
> <cflocation url="../#Page#">
> </cfif>
> </cfoutput>
>
>
>
>
> *************************************************************************************************
> The information contained within this e-mail (and any attachment) sent by Birmingham
> City Council is confidential and may be legally privileged. It is intended only for
> the named recipient or entity to whom it is addressed. If you are not the intended
> recipient please accept our apologies and notify the sender immediately, or
> telephone +(44) 121 303 6666. Unauthorised access, use, disclosure, storage or
> copying is not permitted and may be unlawful. Any e-mail including its content may
> be monitored and used by Birmingham City Council for reasons of security and for
> monitoring internal compliance with the office policy on staff use. E-mail blocking
> software may also be used. Any views or opinions presented are solely those of the
> originator and do not necessarily represent those of Birmingham City Council. We
> cannot guarantee that this message or any attachment is virus free or has not been
> intercepted and amended.
>
> *************************************************************************************************
>
>
> --
> These lists are syncronised with the CFDeveloper forum at
> http://forum.cfdeveloper.co.uk/
> Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/
>
> CFDeveloper Sponsors and contributors:-
> *Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by
> activepdf.com*
> *Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com*
> *Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com*
>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>
--
These lists are syncronised with the CFDeveloper forum at
http://forum.cfdeveloper.co.uk/
Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/
CFDeveloper Sponsors and contributors:-
*Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by
activepdf.com*
*Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com*
*Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com*
To unsubscribe, e-mail: [EMAIL PROTECTED]
