RE: user control - permissions - roles...
http://www.houseoffusion.com/banners/view.cfm?bannerid=34 Itend to use a lock and key approach.3 tables. Items are locked and a user must have the appropriate key to use the system. Profile privileges profile_privileges Profile has profile_id and name in it Privileges is usually a privilege name and id profile_privileges then has priv_id, profile_id (many to many table). Each user is assigned a profile. Many users may belong to the same group. Privileges are associated with a profile. I have a custom tag/udf called validate_permission which simply checks that the profile id has the privilege id which is associated with a particular name.if validate(permission, profile_id, priv_name) is true. Since I do use Fusebox, I've actually written an entire security system around it which allows using the fuseaction permission / attribute to secure circuits or fuseactions to specific privileges.I can alsouse the udf internally in scripts to secure specific lines of code. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, cfif session.roleId eq 1 You are god cfelseif session.roleId eq 2 Your are a demi-god cfelseif session.roleId eq 3 You are a sk8r boy cfelseif session.roleId eq 0 You are sysadmin /cfif I always like to keep roleID 0 for Omniscient Role where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too cfif session.roleId lte 1 You are here, because you are a god or demi god cfelseif session.roleId lte 3 You are here, because you are a demi-god, god, or peon /cfif anyway, you get the point. :) tony -Original Message- From: Spectrum WebDesign [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:19 PM To: CF-Talk Subject: user control - permissions - roles... Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl Please do you have any example? Thanx in advance. -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
Thanx good... great job... but the thousands cfif's still need? Thanx for your time. - Original Message - From: Tony Weeg [EMAIL PROTECTED] Date: Fri, 21 May 2004 15:30:10 -0400 To: CF-Talk [EMAIL PROTECTED] Subject: RE: user control - permissions - roles... easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, cfif session.roleId eq 1 You are god cfelseif session.roleId eq 2 Your are a demi-god cfelseif session.roleId eq 3 You are a sk8r boy cfelseif session.roleId eq 0 You are sysadmin /cfif I always like to keep roleID 0 for Omniscient Role where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too cfif session.roleId lte 1 You are here, because you are a god or demi god cfelseif session.roleId lte 3 You are here, because you are a demi-god, god, or peon /cfif anyway, you get the point. :) tony -Original Message- From: Spectrum WebDesign [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:19 PM To: CF-Talk Subject: user control - permissions - roles... Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl Please do you have any example? Thanx in advance. -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
its up to you, really. I guess you could cfcase/cfswitch it, as well. tw -Original Message- From: Spectrum WebDesign [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:42 PM To: CF-Talk Subject: RE: user control - permissions - roles... Thanx good... great job... but the thousands cfif's still need? Thanx for your time. - Original Message - From: Tony Weeg [EMAIL PROTECTED] Date: Fri, 21 May 2004 15:30:10 -0400 To: CF-Talk [EMAIL PROTECTED] Subject: RE: user control - permissions - roles... easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, cfif session.roleId eq 1 You are god cfelseif session.roleId eq 2 Your are a demi-god cfelseif session.roleId eq 3 You are a sk8r boy cfelseif session.roleId eq 0 You are sysadmin /cfif I always like to keep roleID 0 for Omniscient Role where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too cfif session.roleId lte 1 You are here, because you are a god or demi god cfelseif session.roleId lte 3 You are here, because you are a demi-god, god, or peon /cfif anyway, you get the point. :) tony -Original Message- From: Spectrum WebDesign [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:19 PM To: CF-Talk Subject: user control - permissions - roles... Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl Please do you have any example? Thanx in advance. -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
heck. what am I thinking? isnt there a isUserInRole() function in cf, that will check that kinda stuff to? to all list people:in your role based security applictions, how have you done it? with isUserInRole(), and cflogin, etc? tw -Original Message- From: Tony Weeg [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:43 PM To: CF-Talk Subject: RE: user control - permissions - roles... its up to you, really. I guess you could cfcase/cfswitch it, as well. tw -Original Message- From: Spectrum WebDesign [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:42 PM To: CF-Talk Subject: RE: user control - permissions - roles... Thanx good... great job... but the thousands cfif's still need? Thanx for your time. - Original Message - From: Tony Weeg [EMAIL PROTECTED] Date: Fri, 21 May 2004 15:30:10 -0400 To: CF-Talk [EMAIL PROTECTED] Subject: RE: user control - permissions - roles... easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, cfif session.roleId eq 1 You are god cfelseif session.roleId eq 2 Your are a demi-god cfelseif session.roleId eq 3 You are a sk8r boy cfelseif session.roleId eq 0 You are sysadmin /cfif I always like to keep roleID 0 for Omniscient Role where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too cfif session.roleId lte 1 You are here, because you are a god or demi god cfelseif session.roleId lte 3 You are here, because you are a demi-god, god, or peon /cfif anyway, you get the point. :) tony -Original Message- From: Spectrum WebDesign [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:19 PM To: CF-Talk Subject: user control - permissions - roles... Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl Please do you have any example? Thanx in advance. -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
cflogin isn't flexible enough for me.You have limited control over your querying of that data...only the functions provided in CF.I do a user table, a role-name table and a user-role table.The user table holds basic user info.The role-name table holds info about the role (name, description, etc).The user-role table ties the two together. This allows the person to have multiple roles.Then, I just code in my app that certain role-ids can do certain things.I've also done it where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and then if you need to create specific roles for certain sections of the site, you can do it in between the existing roll numbers.Then you can just check cfif userRole GT 60 to see if the person is above 60 and if so, that means they can do this certain thing, or you can check cfif userRole GT 90 or userRole EQ 43 to see if the user is an admin or if they have a specific role to let them do this one thing. John -Original Message- From: Tony Weeg [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:47 PM To: CF-Talk Subject: RE: user control - permissions - roles... heck. what am I thinking? isnt there a isUserInRole() function in cf, that will check that kinda stuff to? to all list people:in your role based security applictions, how have you done it? with isUserInRole(), and cflogin, etc? tw -Original Message- From: Tony Weeg [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:43 PM To: CF-Talk Subject: RE: user control - permissions - roles... its up to you, really. I guess you could cfcase/cfswitch it, as well. tw -Original Message- From: Spectrum WebDesign [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:42 PM To: CF-Talk Subject: RE: user control - permissions - roles... Thanx good... great job... but the thousands cfif's still need? Thanx for your time. - Original Message - From: Tony Weeg [EMAIL PROTECTED] Date: Fri, 21 May 2004 15:30:10 -0400 To: CF-Talk [EMAIL PROTECTED] Subject: RE: user control - permissions - roles... easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, cfif session.roleId eq 1 You are god cfelseif session.roleId eq 2 Your are a demi-god cfelseif session.roleId eq 3 You are a sk8r boy cfelseif session.roleId eq 0 You are sysadmin /cfif I always like to keep roleID 0 for Omniscient Role where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too cfif session.roleId lte 1 You are here, because you are a god or demi god cfelseif session.roleId lte 3 You are here, because you are a demi-god, god, or peon /cfif anyway, you get the point. :) tony -Original Message- From: Spectrum WebDesign [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 3:19 PM To: CF-Talk Subject: user control - permissions - roles... Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl Please do you have any example? Thanx in advance. -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
The body of your email message is over 100 lines. Unless you are a major writer, your probably adding a lot of the previous replies. Please trim your posts when replying. Thank you. cflogin isn't flexible enough for me. You have limited control over your querying of that data...only the functions provided in CF.I do a user table, a role-name table and a user-role table.The user table holds basic user info.The role-name table holds info about the role (name, description, etc).The user-role table ties the two together. This allows the person to have multiple roles.Then, I just code in my app that certain role-ids can do certain things.I've also done it where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and then if you need to create specific roles for certain sections of the site, you can do it in between the existing roll numbers.Then you can just check cfif userRole GT 60 to see if the person is above 60 and if so, that means they can do this certain thing, or you can check cfif userRole GT 90 or userRole EQ 43 to see if the user is an admin or if they have a specific role to let them do this one thing. John [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
Thanx John but using your suggestion maybe our code will become very hard to maintain... Look this: cfif UserRole is 34 OR UserRole is 56 Click here to edit this record /cfif cfif UserRole is 67 OR UserRole is 81 Click here to delete this record /cfif Why you don't use Group Roles? Thanx once more again - Original Message - From: Burns, John D [EMAIL PROTECTED] Date: Fri, 21 May 2004 16:07:22 -0400 To: CF-Talk [EMAIL PROTECTED] Subject: RE: user control - permissions - roles... The body of your email message is over 100 lines. Unless you are a major writer, your probably adding a lot of the previous replies. Please trim your posts when replying. Thank you. cflogin isn't flexible enough for me. You have limited control over your querying of that data...only the functions provided in CF.I do a user table, a role-name table and a user-role table.The user table holds basic user info.The role-name table holds info about the role (name, description, etc).The user-role table ties the two together. This allows the person to have multiple roles.Then, I just code in my app that certain role-ids can do certain things.I've also done it where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and then if you need to create specific roles for certain sections of the site, you can do it in between the existing roll numbers.Then you can just check cfif userRole GT 60 to see if the person is above 60 and if so, that means they can do this certain thing, or you can check cfif userRole GT 90 or userRole EQ 43 to see if the user is an admin or if they have a specific role to let them do this one thing. John [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: user control - permissions - roles...
I would recommend using permission objects-base framework over roles-based.Problem with relying on roles is that when you need to allow another role to insert or update, you have to go through the templates whereinserts or updates are referenced and change the code.Very inflexible.But if you're using permision objects-based model, you assign that object id to any number of roles, and if the loggin user has the role which contains that ID, then access is granted. You can write a udf that could do something like this. cfif isAllowed(update user record) show update link here /cfif Any user who has the security role that has this ID will pass the test.You can revoke a permission right from a role by simply removing that object id from the role. Nick Han [EMAIL PROTECTED] 05/21/04 12:18PM Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl Please do you have any example? Thanx in advance. -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
Using the ones in between the 10s would only be for a special case. Other than that, you'd just have your basic 10 (0,10,20...90).You don't have to give each user their own role.It depends on the app and the needs.I just know that I've thought too small in the past and it ended up coming back to bite me later.If your app only needs a couple of roles, I don't understand what it is that you're asking for suggestions for.That sounds quite easy and for you cflogin would probably work with its associated functions. John Burns -Original Message- From: Spectrum WebDesign [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 4:41 PM To: CF-Talk Subject: RE: user control - permissions - roles... Thanx John but using your suggestion maybe our code will become very hard to maintain... Look this: cfif UserRole is 34 OR UserRole is 56 Click here to edit this record /cfif cfif UserRole is 67 OR UserRole is 81 Click here to delete this record /cfif Why you don't use Group Roles? Thanx once more again - Original Message - From: Burns, John D [EMAIL PROTECTED] Date: Fri, 21 May 2004 16:07:22 -0400 To: CF-Talk [EMAIL PROTECTED] Subject: RE: user control - permissions - roles... The body of your email message is over 100 lines. Unless you are a major writer, your probably adding a lot of the previous replies. Please trim your posts when replying. Thank you. cflogin isn't flexible enough for me. You have limited control over your querying of that data...only the functions provided in CF.I do a user table, a role-name table and a user-role table.The user table holds basic user info.The role-name table holds info about the role (name, description, etc).The user-role table ties the two together. This allows the person to have multiple roles.Then, I just code in my app that certain role-ids can do certain things.I've also done it where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and then if you need to create specific roles for certain sections of the site, you can do it in between the existing roll numbers.Then you can just check cfif userRole GT 60 to see if the person is above 60 and if so, that means they can do this certain thing, or you can check cfif userRole GT 90 or userRole EQ 43 to see if the user is an admin or if they have a specific role to let them do this one thing. John [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: user control - permissions - roles...
CT i'm looking for any example how to create an user control with roles CT permissions... like Administrator is God, Managers could insert and CT change, SK8er Boy could only view certain aspects from appl Hal Helms has a good technique here: http://halhelms.com/writings/ProposedSecurityModel.pdf and some code here: http://www.halhelms.com/code/resources/secure.zip I've used it when I was still on CF4.5I've since migrated to MX but haven't checked out CFLogin yet. Jim [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
[Original message]--- From: Nick Han [mailto:[EMAIL PROTECTED] Sent: Saturday, 22 May 2004 6:51 AM I would recommend using permission objects-base framework over roles-based.Problem with relying on roles is that when you need to allow another role to insert or update, you have to go through the templates where inserts or updates are referenced and change the code.Very inflexible. But if you're using permision objects-based model, you assign that object id to any number of roles, and if the loggin user has the role which contains that ID, then access is granted. You can write a udf that could do something like this. cfif isAllowed(update user record) show update link here /cfif Nick, I'm trying to understand how this would appear in practice.Does this mean you'd have a table of authority levels or groups, a table of things they could do, and a many-many table linking them together? In which case a user would have a record in the user table,a number of records in the user-groups table linking the user to one or more groups? Is this how it would be?: Tbl_USERS(All user information) Userid Username etc Tbl_GROUPS(Group names) GroupID Groupname Tbl_AUTHORITYLEVELS (Authority Levels) AuthorityLevelID Authorityname Tbl_TASKS(The tasks different groups can perform) TaskID TaskName Tbl_USERSGROUPS(allocates users to groups) UserGroupID UserID GroupID Tbl_GROUPAUTHORITIES(allocates authority levels to different groups) GroupAuthorityID GroupID AuthoritylevelID Tbl_TASKSAUTHORITIES(Allocates tasks to different authority levels) TaskAuthorityID TaskID AuthorityLevelID Cheers Mike Kear Windsor, NSW, Australia AFP Webworks http://afpwebworks.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: user control - permissions - roles...
[Original message]--- From: Nick Han [mailto:[EMAIL PROTECTED] Sent: Saturday, 22 May 2004 6:51 AM I would recommend using permission objects-base framework over roles-based. Problem with relying on roles is that when you need to allow another role to insert or update, you have to go through the templates where inserts or updates are referenced and change the code. Very inflexible. But if you're using permision objects-based model, you assign that object id to any number of roles, and if the loggin user has the role which contains that ID, then access is granted. You can write a udf that could do something like this. cfif isAllowed(update user record) show update link here /cfif Nick, Im trying to understand how this would appear in practice. Does this mean youd have a table of authority levels or groups, a table of things they could do, and a many-many table linking them together? In which case a user would have a record in the user table, a number of records in the user-groups table linking the user to one or more groups? Is this how it would be?: Tbl_USERS (All user information) Userid Username etc Tbl_GROUPS (Group names) GroupID Groupname Tbl_AUTHORITYLEVELS (Authority Levels) AuthorityLevelID Authorityname Tbl_TASKS (The tasks different groups can perform) TaskID TaskName Tbl_USERSGROUPS (allocates users to groups) UserGroupID UserID GroupID Tbl_GROUPAUTHORITIES (allocates authority levels to different groups) GroupAuthorityID GroupID AuthoritylevelID Tbl_TASKSAUTHORITIES (Allocates tasks to different authority levels) TaskAuthorityID TaskID AuthorityLevelID Cheers Mike Kear Windsor, NSW, Australia AFP Webworks http://afpwebworks.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]