Page Authentication

Question

I have an application where I am setting user roles using cfloginuser. I restrict some pages depending on roles. I am just using a if statement at the top of the page similar to this:

<cfif IsUserInRole("admin")>
     PAGE CONTENT
<cfelse>
          <cflocation url="unathorized.cfm" addtoken="no">
</cfif>

This is working fine, but I am now wanting to expand the roles. I want to display or reject each page depending on the roles. However, I am not wanting to add an if statement to every page. Can anyone point me to a better method? I know I am missing something very easy, but I would like an easy non-obtrusive way to do this. Thanks for the suggestions.

BKBK · Answer

wannab0133 wrote:I have an application where I am setting user roles using cfloginuser. I restrict some pages depending on roles. I am just using a if statement at the top of the page similar to this: PAGE CONTENT This is working fine, but I am now wanting to expand the roles. I want to display or reject each page depending on the roles. However, I am not wanting to add an if statement to every page. Can anyone point me to a better method? I know I am missing something very easy, but I would like an easy non-obtrusive way to do this. Thanks for the suggestions.Did you say non-obtrusive? I find this a tigress of a question masquerading as a homely pussycat!First of all, there are known restrictions in any implementation of onRequest in Application.cfc. For example, you won't be able to run CFCs for web services, flash remoting or event gateways. Login, permissions and page flow are determined on a request by request basis. Therefore, the code you need will have to be in a scope that is more fine-grained than session or application. That brings us to request. Since we have ruled out the onRequest event, we have to settle for the only remaining contender, onRequestStart.Let's say, for simplicity, that user IDs are U1, U2, U3, ... an so on. Similarly we assume role IDs are R1, R2, ... and authorized-page IDs, P1, P2, P3, .... That you can use onRequestStart to do login and assign roles is an established fact. Such login and permission assignment are essentially a product of the relation between the set of users, U = {U1, U2, U3, ...} and the set of roles, R = {R1, R2, R3, ...}. The functionality you seek is between the set R and the set of pages, P = {P1, P2, P3, ...}. Sounds all nice and easy till we stumble on the fact the relations U <=> R and R <=> P are many-to-many. You cannot translate a many-to-many relation directly into a relational database model. This means you will likely have to redesign your database model. One way to solve the problem is to introduce so-called junction tables within the relations U <=> R and R <=> P. Whatever design route you choose to follow, there is one well-known guideline that will ensure you stay on course, Ferraiolo and Kuhn's Role-Based Access Control(RBAC). This is everything but non-obtrusive, I hope you will agree!

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded