Copy link to clipboard
Copied
I have an application where I am setting user roles using cfloginuser. I restrict some pages depending on roles. I am just using a if statement at the top of the page similar to this:
<cfif IsUserInRole("admin")>
PAGE CONTENT
<cfelse>
<cflocation url="unathorized.cfm" addtoken="no">
</cfif>
This is working fine, but I am now wanting to expand the roles. I want to display or reject each page depending on the roles. However, I am not wanting to add an if statement to every page. Can anyone point me to a better method? I know I am missing something very easy, but I would like an easy non-obtrusive way to do this. Thanks for the suggestions.
Copy link to clipboard
Copied
You could shift the logic into the onRequest() interceptor, perhaps?
--
Adam
Copy link to clipboard
Copied
I broke down and put the logic in the onrequest function of the application.cfc I went ahead and made a table and added a record for every secured page and the role required to view it. I just didn't want to have to read a table for every page load, but it works fine. If anyone has a better suggestion, I'd love to hear it. Thanks.
Copy link to clipboard
Copied
Just a suggestion don't know whether it is applicable for your case or not.
- If we will store the user roles in session variable and store the secure page information in cache. Then we will do the the same as Adam suggested then I think it will improve the execution time.
Copy link to clipboard
Copied
I broke down and put the logic in the onrequest function of the application.cfc I went ahead and made a table and added a record for every secured page and the role required to view it. I just didn't want to have to read a table for every page load, but it works fine. If anyone has a better suggestion, I'd love to hear it. Thanks.
Well that stuff is application-wide, yes? So you could just load it once in onApplicationStart, and put it in an application variable.
--
Adam
Copy link to clipboard
Copied
wannab0133 wrote:
I have an application where I am setting user roles using cfloginuser. I restrict some pages depending on roles. I am just using a if statement at the top of the page similar to this:
<cfif IsUserInRole("admin")> PAGE CONTENT <cfelse> <cflocation url="unathorized.cfm" addtoken="no"> </cfif>
This is working fine, but I am now wanting to expand the roles. I want to display or reject each page depending on the roles. However, I am not wanting to add an if statement to every page. Can anyone point me to a better method? I know I am missing something very easy, but I would like an easy non-obtrusive way to do this. Thanks for the suggestions.
Did you say non-obtrusive? I find this a tigress of a question masquerading as a homely pussycat!
First of all, there are known restrictions in any implementation of onRequest in Application.cfc. For example, you won't be able to run CFCs for web services, flash remoting or event gateways.
Login, permissions and page flow are determined on a request by request basis. Therefore, the code you need will have to be in a scope that is more fine-grained than session or application. That brings us to request. Since we have ruled out the onRequest event, we have to settle for the only remaining contender, onRequestStart.
Let's say, for simplicity, that user IDs are U1, U2, U3, ... an so on. Similarly we assume role IDs are R1, R2, ... and authorized-page IDs, P1, P2, P3, .... That you can use onRequestStart to do login and assign roles is an established fact.
Such login and permission assignment are essentially a product of the relation between the set of users, U = {U1, U2, U3, ...} and the set of roles, R = {R1, R2, R3, ...}. The functionality you seek is between the set R and the set of pages, P = {P1, P2, P3, ...}. Sounds all nice and easy till we stumble on the fact the relations U <=> R and R <=> P are many-to-many. You cannot translate a many-to-many relation directly into a relational database model. This means you will likely have to redesign your database model.
One way to solve the problem is to introduce so-called junction tables within the relations U <=> R and R <=> P. Whatever design route you choose to follow, there is one well-known guideline that will ensure you stay on course, Ferraiolo and Kuhn's Role-Based Access Control(RBAC). This is everything but non-obtrusive, I hope you will agree!