Login authorisation for different levels does not work

Report · Dec 30, 2009

Hey again,

So this time I've got stuck with login stuff. I'm trying to set login based on the permissions level. In database i've got three fields: username, password and user_type. user_types are admin1 and admin2.

If I login with username and password for admin1 it goes well.

If login is with username and password for admin2 it goes to index page with no error message.

Following is the code:

<cfif IsDefined("FORM.username")>
<cfset MM_redirectLoginSuccess="../admin/index.cfm">
<cfset MM_redirectLoginFailed="index.cfm?failed=y">
<cfquery name="MM_rsUser" datasource="nodatabase">
SELECT username,password,user_type FROM users WHERE username=<cfqueryparam value="#FORM.username#" cfsqltype="cf_sql_clob" maxlength="45"> AND password=<cfqueryparam value="#Hash(FORM.password, "SHA")#" cfsqltype="cf_sql_clob" maxlength="64">
</cfquery>
<cfif MM_rsUser.RecordCount NEQ 0>
    <cftry>
      <cflock scope="Session" timeout="30" type="Exclusive">
        <cfset Session.MM_Username=FORM.username>
        <cfset Session.MM_UserAuthorization=MM_rsUser.user_type[1]> WHAT IS THIS [1] ??????
      </cflock>
      <cfif IsDefined("URL.accessdenied") AND false>
        <cfset MM_redirectLoginSuccess=URL.accessdenied>
      </cfif>
      <cflocation url="#MM_redirectLoginSuccess#" addtoken="no">
      <cfcatch type="Lock">
        
      </cfcatch>
    </cftry>
</cfif>
<cflocation url="#MM_redirectLoginFailed#" addtoken="no">
<cfelse>
<cfset MM_LoginAction=CGI.SCRIPT_NAME>
<cfif CGI.QUERY_STRING NEQ "">
    <cfset MM_LoginAction=MM_LoginAction & "?" & XMLFormat(CGI.QUERY_STRING)>
</cfif>
</cfif>
<cfset CurrentPage=GetFileFromPath(GetBaseTemplatePath())>

Any thoughts where does it all go wrong?

cheers,

Simon

Report · Dec 31, 2009

cfsqltype="cf_sql_clob"

cfsqltype="cf_sql_varchar" seems more appropriate in both cases.

<cfset Session.MM_UserAuthorization=MM_rsUser.user_type[1]> WHAT IS THIS [1] ??????

Row 1 of the result set. If you did the table correctly, then the result set will contain only one row anyhow. So, MM_rsUser.user_type and MM_rsUser.user_type[1] would mean the same thing.

<cfif IsDefined("URL.accessdenied") AND false>

Most likely an error in the logic, as it will always be false. I suspect you wanted to write

Report · Dec 31, 2009

A separate but related question. Are you going to be logging the user in at every request? I see no cflogin and no cfloginuser tags.

Report · Dec 31, 2009

Well, that's the code that was written automatically by coldfusion when I've chosen to create user authorisation. However when you choose to go this way coldfusion asks whether you want to authorise user by username and password only, or add permission levels. So I've chosen to authorise by all three. As mentioned in database I have added three fields: username, password and user_type. Currently I have two users. One's - admin1, and another - admin2. If I change both to admin1 - have no trouble loging in. But if second one is left as admin2, it denies access with no error.

My intentions are to separate content of the admin page with the following code:

<cfif ListContains("admin1", Session.MM_UserAuthorization)>
Content to show if user in proper access level which is Admin1.
</cfif>

but in order to achieve this I have to login users with different access level.

Report · Dec 31, 2009

Is the username Admin2 in the database, as well as the hash of Admin2's password?

Report · Jan 03, 2010

Sorry mate, completely forgot to update this thread. I've sorted it out already. It was my own fault (obviously) as at some point I was trying to set restrictions to access admin page and stated admin1 as the only type of admin for this purpose. therefore the error is explained.

thanks for your help anyway.