I thought we had talked about this before Alan. The whole gist of it is that
you can create a report in CR that is viewable in a web browser(benefits of
pagination, formatting, and the bells and whistles of CR). You can send sf
commands (selection formula) in the URL string to limit the data displayed
by the report on the fly. You can also send parameter fields and set
properties like export format or viewertype on the fly. The problem that I
am having is the common problem with web stuff SECURITY. The worst security
breaches are those done by authenticated users. They can get into the system
and much with the URL vars, and end up deleting records that do not belong
to them or in this case viewing data that does not belong to them. To get
around this in my fusebox sites I have to check to see if the user has
permissions for the particular record just before they perform an update,
delete operation.
In CR I have tried to hide the URL string by using frames like so:
Have the user fill out a form to get at the data that they want: i.e. param
for a subtitle, dates covered.
Then the form submits to a fuseaction that is a cfm page. i.e. <FORM
action="#self#?fuseaction=rpt.rpt_student_immunizations" method="post">
The CFM page contains a frameset and all the params are attached via the var
Local.theReport:
<FRAMESET rows="40,*" border="0">
<FRAME name="home" src="/reports/dsp_home.cfm" marginwidth="10"
marginheight="10" scrolling="no" frameborder="0" noresize>
<FRAME name="report"
src="/REPORTS/students/rpt_student_immunizations.rpt?#Local.theReport#"
marginwidth="10" marginheight="10" scrolling="no" frameborder="0" noresize>
</FRAMESET>
If you do a viewsource on the background of the webpage that is constructed
by CR you will see the params passed:
<PARAM NAME="EnableDrillDown" VALUE=1>
<PARAM NAME="EnableExportButton" VALUE=1>
<PARAM NAME="DisplayGroupTree" VALUE=1>
<PARAM NAME="EnableGroupTree" VALUE=1>
<PARAM NAME="EnableAnimationControl" VALUE=1>
<PARAM NAME="EnablePrintButton" VALUE=1>
<PARAM NAME="EnableRefreshButton" VALUE=1>
<PARAM NAME="EnableSearchControl" VALUE=1>
<PARAM NAME="EnableZoomControl" VALUE=1>
<PARAM NAME="EnableSearchExpertButton" VALUE=0>
<PARAM NAME="EnableSelectExpertButton" VALUE=0>
webSource0.URL = "http://servername/dirs/rpt_evaluations.rpt"
webSource0.PromptOnRefresh = False
webSource0.AddParameter "Prompt0", "Nursing Faculty"
webSource0.AddParameter "Prompt1", " Masters of Science in Nursing"
webSource0.AddParameter "Prompt2", "1/1/2000"
webSource0.AddParameter "Prompt3", "12/31/2000"
webSource0.AddParameter "prompt4", "Higgins, Joseph"
webSource0.AddParameter "sf", "{schools.ID}in[1] AND
{eval_instructor.created_dt} >= DateTime (2000,01,01,00,00,00) AND
{eval_instructor.created_dt} <= DateTime (2000,12,31,00,00,00)"
This shows them the name of the report and if they know CR they could just
paste this into a web browser and add their own sf commands to get at the
data that they wanted to. Or send them to a friend, or competitor - the
competitor would have full access to your companies data, or patient records
etc . . .
The question that I want to ask in return is: how do you keep people from
directories on your server unless they are authenticated. My guess is that
it depends on your webserver. If you are using IIS then set up NT sercurity.
Does anybody have a factsheet on how to set up NT security with CF? And if
you did would this stop them from accessing fuses or CR reports? Does the CR
go through the webserver API or via CGI or does it have it's own port?
Anyway these are my big fusebox related security issues. . . any takers?
----- Original Message -----
From: "McCollough, Alan" <[EMAIL PROTECTED]>
> I'm wondering if anybody has the skinny on using Crystal Reports 8.x and
CF
> together; but -not- through CFREPORT, which apparently flat doesn't work.
>
> In particular, I've already got a couple o' apps that use CR, but not via
> CFREPORT. I'm thinking of upgrading CR to ver 8.5, but don't wanna bother
if
> somebody out there has experienced disaster with it.
>
> So how does this tie into fusebox? The apps that use CR for reporting are
> fusebox apps. So there!
>
> Alan McCollough
> Web Programmer
> Allaire Certified ColdFusion Developer
> Alaska Native Medical Center
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
