Messages
Reply
Edit
Delete12:30 pm
3O80QTTCE
| From: | Rick Strahl |
| To: | Potter Orr |
No matter what, if you use authentication always make sure that every page actually calls the authentication/validation check.
Either implement OnAuthenticate() to handle this so you can just call Authenticate() on each page as Stein recommended, or have another method that abstracts that check so it's a single simple method call - this should be as easy as possible.
If your entire application is locked down by these permissions (ie. every page) you can also put that validation right at the top in OnProcessInit() and then it applies to every request. You might have to filter out a couple of pages like the Login page and maybe the landing page by looking at the script name.
Something like this:
FUNCTION OnProcessInitTHIS.InitSession("ttrak")IF !INLIST(UPPER(JUSTFNAME(Request.GetPhysicalPath())),"DEFAULT","LOGON") AND ; !THIS.Authenticate("ANY")RETURN .F.ELSE*** Always grab the authenticated user so we can show on default page as wellthis.cAuthenticatedUser = Session.GetSessionVar(this.cAuthenticationUserSecurityKey)this.cAuthenticatedUserName = Session.GetsessionVar("AuthenticatedUserName")ENDIFRETURN .T.ENDFUNC
This lets you control authentication globally.
The TimeTrakker example from last year's training demonstrates how to do this all the way down with custom overridden Authenticate and OnAuthenticate methods.
Hope this helps,
+++ Rick ---
Thanks for the help - Arnold & Stein. I fugured it out using the Session variables. This was complicated by the fact the the app has 4 levels of access. If you are just an individual, you only get to see your own record. If you are a committee member you are allowed to see all the people within the jurisdiction of your committee and it you are a manager or trustee, you are allowed to see everyone.
I manage this by creating a cursor containing the list of all those your access allows and then let the user click on a name in the grid and call the Person1 page. The fix was to look at the access code granted on login (saved in Sessions) and validate against that in the OnLoad of the Person1 page.
Seems to work properly on my test bed - production next.
Thanks Again,
Potter
Can't say for sure without seeing the code for your Person1 page (or process method if this is a classic WW page) but it seems like you're allowing the page to display without invoking a call to the authentication routines. Somewhere in there, preferably early in the page loading process, you'd want something like this (assuming you're using the built-in security routines):
IF !Process.Authenticate()RETURNENDIF
A user of my WestWind page emailed me to say that he could bypass the login process completely once he had ever logged. He sent me a screen shot that shows: myalbat.org/Person1.alb?Id=%20%2020138204 in the address bar.
I types that into the address bar from my computer and it took me straight to his page - something I never should have been able to do. What have I missed? The last 6 digits of that address is the serial number of his record and if I change that number, I can see other people too.
Potter
West Wind Technologies
Making waves on the Web