Skip to main content
I
iccsi
Inspiring
December 8, 2012
Answered

ColdFusion security function IsUserInRole

  • December 8, 2012
  • 2 replies
  • 2313 views

I would like to know IsUserInRole ColdFusion function to use get user role, but how I can create user role from ColdFusion?

Any function to creat euser role or uses ColdFusion server admin to create or create a role in the backend database?

Your help and information is great appreciated,

Regards,

Iccsi,

    This topic has been closed for replies.
    Correct answer BKBK

    ColdFusion's default security framework (involving cflogin, cfloginUser, cfNTauthenticate, getAuthUser, isUserInRole, and so on) assumes that you, the developer, decide the policy for storing usernames, passwords and roles. The usual place to store them is the database.

    How you assign users access to various parts of your site is a science apart. In my opinion, the technique most relevant to you is Role-Based Access Control (RBAC). Google it for more information.

    The simplest implementation of RBAC consists of five database tables, say, user, role, userRole, resource and resourceAccess. The user table has at least the 3 columns userId (primary key), username and password. The role table has at least the 2 columns roleId (primary key) and role. The userRole table has at least the 3 columns, namely, userRoleId (primary key), userId and roleId. The columns userId and roleId are actually foreign keys. So userRoleId is essentially a composite of the two foreign keys.

    The resource table contains the resources, for example, the pages, to which you wish to control access. It  has at least the 2 columns resourceId (primary key) and resource. The resourceAccess table has at least the 3 columns resourceAccessId (primary key), resourceId and userRoleId. The columns resourceId and userRoleId are actually foreign keys. So resourceAccessId is essentially a composite of the two foreign keys. We have now set up our basic security database.

    If you wish to regulate just login to your site, then it is sufficient to implement the user table. Roles are then irrelevant. After verifying that the user's submitted credentials match the values in the user table, you would then log him in using code like

    <cfloginuser name = "some_username" password = "some_password">

    However, suppose you wished to regulate access to various resources on your site, based on roles. Then you will have to implement all 5 tables.

    Suppose then that a user has requested a page which has restricted access. Firstly, you verify that the user's login credentials match the values in the user table.  If so, you then query the role table to get the list of roles permitted to the user. You would then log him in using something like

    <cfloginuser name = "some_username" password = "some_password" roles = "role1,role2,role3">

    You now do a look-up of his userId and roleIds in the userRole table. The result is a list of userRoleIds.

    Since the requested page is a restricted resource, we take it for granted that is has an entry is the resource table. Let us say resourceId = 103 for the page. Finally, you query the resourceAccess table to verify whether any of the userRoleIds corresponds to resouceId 103. If so, the user is granted access.

    2 replies

    BKBK
    Community Expert
    BKBKCommunity ExpertCorrect answer
    Community Expert
    December 8, 2012

    ColdFusion's default security framework (involving cflogin, cfloginUser, cfNTauthenticate, getAuthUser, isUserInRole, and so on) assumes that you, the developer, decide the policy for storing usernames, passwords and roles. The usual place to store them is the database.

    How you assign users access to various parts of your site is a science apart. In my opinion, the technique most relevant to you is Role-Based Access Control (RBAC). Google it for more information.

    The simplest implementation of RBAC consists of five database tables, say, user, role, userRole, resource and resourceAccess. The user table has at least the 3 columns userId (primary key), username and password. The role table has at least the 2 columns roleId (primary key) and role. The userRole table has at least the 3 columns, namely, userRoleId (primary key), userId and roleId. The columns userId and roleId are actually foreign keys. So userRoleId is essentially a composite of the two foreign keys.

    The resource table contains the resources, for example, the pages, to which you wish to control access. It  has at least the 2 columns resourceId (primary key) and resource. The resourceAccess table has at least the 3 columns resourceAccessId (primary key), resourceId and userRoleId. The columns resourceId and userRoleId are actually foreign keys. So resourceAccessId is essentially a composite of the two foreign keys. We have now set up our basic security database.

    If you wish to regulate just login to your site, then it is sufficient to implement the user table. Roles are then irrelevant. After verifying that the user's submitted credentials match the values in the user table, you would then log him in using code like

    <cfloginuser name = "some_username" password = "some_password">

    However, suppose you wished to regulate access to various resources on your site, based on roles. Then you will have to implement all 5 tables.

    Suppose then that a user has requested a page which has restricted access. Firstly, you verify that the user's login credentials match the values in the user table.  If so, you then query the role table to get the list of roles permitted to the user. You would then log him in using something like

    <cfloginuser name = "some_username" password = "some_password" roles = "role1,role2,role3">

    You now do a look-up of his userId and roleIds in the userRole table. The result is a list of userRoleIds.

    Since the requested page is a restricted resource, we take it for granted that is has an entry is the resource table. Let us say resourceId = 103 for the page. Finally, you query the resourceAccess table to verify whether any of the userRoleIds corresponds to resouceId 103. If so, the user is granted access.

    I
    iccsiAuthor
    Inspiring
    December 8, 2012

    Thanks a million for helping and information,

    I reallly appreciate your help,

    Regards,

    Iccsi,

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    December 9, 2012

    No thanks.

    Just seen some errors in my last post. I hope they didn't confuse things. The first line of the last paragraph should read:

    Since the requested page is a restricted resource, we take it for granted that it has an entry in the resource table.


    A
    Adam Cameron.
    Inspiring
    December 8, 2012

    iccsi, you have been posting an awful lot of questions recently that are basically "can you do my work for me?"

    Can you at least try to work it out for yourself first before posting here?

    Read the docs, try things out, post what you've tried and how it didn't work, and then we can go from there.

    All this stuff is in the docs.

    --

    Adam

    I
    iccsiAuthor
    Inspiring
    December 8, 2012

    Thanks for the message and help,

    I did reasearch and check your document on line.

    http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_in-k_35.html

    http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec22c24-7e34.html

    this page shows some security functions, but none of them talk about create role, only read login user and user role.

    I went to ColdFusion admin page, there is user management page, but i can only create users, not roles.

    Thanks again for helping and information,

    Regards,

    Iccsi,

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices