ColdFusion Tips and Tutorials

I. Comments:

Hope your doing well. If you would like to donate to CFTipsPlus.com Simply click on this link.

https://www.paypal.com/xclick/business=admin%40nsnd.com&item_name=CFTipsPlus

Keep Coding,
Nathan Stanford
http://www.cftipsplus.com

If you have suggestions for articles send them to us.
If you would like to write for cftipsplus.com
send us an email to:

NathanS<at>nsnd.com

IF YOU WANT TO BE AN AUTHOR SEND IN YOUR COLDFUSION TIPS.

Remember this is a great way to get your name known in the
ColdFusion Community.

Suppose that not everyone who logs into your Web site should be able to change it or to read sensitive information. Here's a example of how you might make the permission information queried at login available to each page that needs it within the Web site.
Build a "Login" Page
Put this code in login.cfm. Simply invoke session management. Pretend that the login process has built a structure consisting of available functions and the user's access to those functions. Lock the session and copy the permission data to session memory. Let the cfdump tag demonstrate the new state of session memory. A simple form lets you leave this page when you're satisfied.

This is a pretend login page. It shows a way to invoke session management and set session variables as a result of a real login process.

<!--- Invoke session management --->
<cfapplication name="Permitdemo"
sessionmanagement="yes">

Here are the session variables after "login".

<!--- Set permissions as if by login --->
<cfset Temp=structNew()>
<cfset dummy=structInsert(Temp, "WELCOME", "RU")>
<cfset dummy=structInsert(Temp, "ARTICLES", "A")>
<cfset dummy=structInsert(Temp, "USERS", "R")>

<cflock scope="session" timeout="30" throwontimeout="yes" type="exclusive">
<cfset session.Permit = Temp>
<cfdump var="#session#">
</cflock>

<form method="post" action="Work/Demo.cfm">
<input name="doit" type="submit" value="Go">
</form>

Create Application.cfm
Application.cfm gets included by every attempt to browse a ColdFusion page. That makes it a useful place to retrieve permissions from session memory. To avoid conflicts with the code in the login page, create a work directory and put Application.cfm (and the code that actually performs the functions of your site) in that directory rather than in the root directory.

Put the following code in Work/Application.cfm. Invoke session management, making sure to use the same application name as you used for the login function. Structcopy would just copy pointers. Use the duplicate function instead to copy the actual values from session scope to request scope. The entire structure gets copied by just one line of code (inside of a cflock tag). This time, a readonly lock is good enough; you're not writing to memory.

The access function will make it easy for the individual pages to get information out of the permission structure. You don't have to declare the function's variables (var...), but if you don't, they will be visible to and may interfere with other ColdFusion functions. Check to see if the key exists to avoid throwing an error. If it does exist, find the associated value. If the value is "A" or contains the needed access, return true.

<!--- Invoke session management --->
<cfapplication name="Permitdemo"
sessionmanagement="yes">

<!--- Write variables from session memory to disk (request scope) --->
<cflock scope="session" timeout="30" throwontimeout="yes" type="readonly">
<cfset request=duplicate(session)>
</cflock>

<!--- Define access function --->
<cfscript>
function allow(TheAction, TheAccess) {
var Answer = "";
var Verdict = false;
if (structKeyExists(request.Permit, TheAction)) {
Answer = structFind(request.Permit, TheAction);
if (Answer contains TheAccess) {
Verdict = true;
}
else if (Answer contains "A") {
Verdict = true;
}
}
return Verdict;
}
</cfscript>

Make a Demonstration Page
Place this code in Work/Demo.cfm. The cfdump tag comes to the rescue again, this time to demonstrate that the session data was successfully copied to the request scope. You would usually use the access function in a decision statement to permit or deny the use of a given function based on the relationship between the user's access and the access required by the code for this function. To show how the access function works with various combinations of data, its output is simply dispayed for this demonstration. Note that user permission of "A" covers all bases, while if the activity to be performed is not named in the user's permission variable (Permit) at all - see CALENDAR - the access function returns a value of false to block access.

Here are the request variables available without locks to all pages browsed in this directory.
<cfdump var="#request#">
<p>
Can this user...
<p>
<cfoutput>
Read the welcome banner? #allow("WELCOME","R")#<br>
Update the welcome banner? #allow("WELCOME","U")#
<p>
Create new articles? #allow("ARTICLES","C")#<br>
Read articles? #allow("ARTICLES","R")#<br>
Update articles? #allow("ARTICLES","U")#<br>
Take other actions with articles
(delete, archive, mail, etc.)? #allow("ARTICLES","A")#
<p>
Create user accounts? #allow("USERS","C")#<br>
Read user accounts? #allow("USERS","R")#<br>
Update user accounts? #allow("USERS","U")#<br>
Take other actions with user accounts? #allow("USERS","A")#<br>
<p>
Create calendar items? #allow("CALENDAR","C")#<br>
Read calendar items? #allow("CALENDAR","R")#<br>
Update calendar items? #allow("CALENDAR","U")#<br>
Take other actions with calendar items?
#allow("CALENDAR","A")#
</cfoutput>

Have Fun
Details have been glossed over here. We took the defaults for session management. This tip doesn't get in to the mechanics of getting the permission data out of the database in the first place. However, there's enough information here for you to readily control any site function based on user permissions determined at login.
=Marty=