The Model-Glue framework itself does not get involved in any requests that do not go through its index.cfm. However the Model-Glue application template has a views/Application.cfm file that contains a <cfabort/>. This file stops the processing of any direct requests for CFML files under the views directory, so a blank response is returned. It sounds like your application has this same views/Application.cfm file protecting the views directory.
Other directories in your Model-Glue application may also need securing. In particular, if your ModelGlue and ColdSpring configuration files use a *.xml extension, they may be vulnerable to direct access by a browser and exposure of sensitive information about your application. Ideally you should set up your Web server's security to block any access to your application's config directory, but if that's not an option you can rename the config files to use *.xml.cfm extensions and then use the Application.cfm technique mentioned above to protect the config directory. A side-effect of changing the file extension is that you will likely lose your editor's XML support features while working on those files. -- Dennis On Tue, Aug 24, 2010 at 11:01 PM, Clifford Moon <[email protected]>wrote: > Greeting > > I've found several tutorials out there on various ways of securing > certain pages in modelglue and followed Dans suggestion from a past > email, but I've seen non model glue security implemented and whenever > one requested a page, it immediately threw up the login page. The way > I've currently got my pages secured doesn't automatically throw up a > login page as im using the event handler and multiple event types to > only secure certain pages (model glue.XML snippet below), and I'm > pleased with the way it's working. > > Administrator Events --> > <event-handler name="admin" type="secure,templatedPage"> > <!-- > <broadcasts> > <message name="needHonorsList" /> > </broadcasts> > --> > <views> > <include name="primary" template="default.cfm"> > </include> > </views> > </event-handler> > > <event-handler name="adminList" type="secure,templatedPage"> > <views> > <include name="mymenu" template="layout/ > dspMyMenu.cfm"> > <value name="whichMenuIsCurrent" > value="admin" /> > </include> > <include name="primary" > template="dspViewAdmins.cfm"> > </include> > </views> > </event-handler> > > <event-handler name="honorshome" type="templatedPage"> > <views> > <include name="mymenu" template="layout/ > dspMyMenu.cfm"> > <value name="whichMenuIsCurrent" > value="home" /> > </include> > <include name="primary" > template="dspViewNews.cfm"> > </include> > </views> > </event-handler> > > My quandry is this, and this may just be the way that Model Glue > handles handing off a page without going through the event=?? method. > > If I have a file in my views directory called bleh.cfm, and I spell > out the entire path http://<server>/<appdir>/views/bleh.cfm, I get a > blank page returned. Is this the expected functionality. What should > one expect to happen if the security was coded perfectly. > > I ask this as my boss is expecting to secure the entire directory, but > as it is, it only requests authentication when the event type is > "secure,??", and this to me is cool as I can only protect a few files > and leave the others public. > > I hope I've made sense on this, but I'm still unclear as to what I > should expect, and what is considered the standard for security in > Model-Glue. > > Thanks in Advance, > > Cliff > > -- > Model-Glue Sites: > Home Page: http://www.model-glue.com > Documentation: http://docs.model-glue.com > Bug Tracker: http://bugs.model-glue.com > Blog: http://www.model-glue.com/blog > > You received this message because you are subscribed to the Google > Groups "model-glue" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected]<model-glue%[email protected]> > For more options, visit this group at > http://groups.google.com/group/model-glue?hl=en -- Model-Glue Sites: Home Page: http://www.model-glue.com Documentation: http://docs.model-glue.com Bug Tracker: http://bugs.model-glue.com Blog: http://www.model-glue.com/blog You received this message because you are subscribed to the Google Groups "model-glue" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/model-glue?hl=en
