One method I'm fond of is to use NT ACL (Access Control List) permissions.
Mind you, Im in the minority here, but I never cared what other people think
anyway, heh.
Lets say you've got an app called "Banking". With Windows NT (Can you tell I
develop in an NT environment?), use User Manager for Domains, and create a
group called "Banking Users". Now, if you want an admin-only section, create
an NT group called "Banking Admins".
If you've been a good fuseboxer, and have isolated functions into specific
sub-directories, implementing this security structure is a snap. On the
generic circuits in your app, you assign read permissions to the "Banking
Users" group. On the admin circuits, well, ya guessed it. Assign read
permissions to the "Banking Users" group.
You have to fuss with your included files, but you can also set up
permissions so instead of being read-only, they are execute-only. This
prevents anybody from reading the CF code, but it allows the code to be
executed by the CFAS. Trickier to implement, but quite secure.
Now, you might wonder why you would create a permissions structure that
requires operator intervention, as far as modifying the access lists goes.
In my environment, we have a Help Desk, and I can have those folks handle
the task of user account maintenance. Also, there is an NT function called
CACLS you can execute to modify ACLs.
One nice thing about this whole scheme is you can still implement any sort
of database-driven security; this will work in conjunction with it, and
it'll be there even if you mess up.
Alan McCollough
Web Programmer
Allaire Certified ColdFusion Developer
Alaska Native Medical Center
> -----Original Message-----
> From: Chris Lott [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, October 07, 2000 6:59 AM
> To: Fusebox
> Subject: Security issues
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I understand how to handle login security in an application... but do any
> of you have tips on handling variable levels of security? Up until now I
> have always had my normal app for users and then a subsection of that app
> (say /admin/) where admins would go to do their thing.
>
> It seems inefficient, but also almost inescapable without turning my neat
> code into spaghetti as I am variably displaying/including based on whether
> they have admin privileges or not. I can't imagine what it will be like
> with three or more levels of user to account for!
>
> I've seen many discussions on cf lists about how to define different
> levels
> of user and what their privileges are, but not much on what to do with
> those definitions in the app. Every way I can conceive seems much painful
> than it should be. Or is that just the way it is?
>
> c
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8ckt - http://irfaiad.virtualave.net/
> Comment: PGP Signed for message verification and/or encryption
> Comment: KeyID: 0xD68B61E851046CFD
>
> iQA/AwUBOd86N9aLYehRBGz9EQIBZACghjGOJ8H88d7bCm8Jza5BgtTXeLAAmgPj
> 2EXL6YNuzCcbRypj+9lH69an
> =Wug1
> -----END PGP SIGNATURE-----
>
>
> --------------------------------------------------------------------------
> ----
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
