Question : How to restrict access to specific folders using variable "UserRoleID"?

ColdFusion 8, MS SQL Server 2005

Problem in brief: I want to restrict access to specific folders according to variable "UserRoleID". Only a logged-in UserID with a specific UserRoleID should be able to see certain folders.

Problem in detail:
Thanks to a lot of patient assistance from _agx_, gdemaria, and other experts, I have been able to get a user registration application working very well, at http://www.nbptsprincipals.org/admin/.

Currently if a user is logged in to this application, then she can see all web pages in restricted folders /admin/, /liaison/, and /principal/. The code that allows this is in application.cfc, in function onRequestStart, thus:

    <cfset var securefolders = "admin,liaison,principal">

    <cfif listFindNoCase(securefolders,listFirst(cgi.script_name,"/")) and session.auth.isLoggedIn is False>
      <cfinclude template="LoginForm.cfm">
      <cfabort>
    </cfif>

Other notes:
1. In my database table there are three UserRoleIDs:

UserRoleID = 1 (administrator)
UserRoleID = 3 (liaison)
UserRoleID = 5 (principal)

2. In the data table, the PK is UserID. Different UserIDs have different UserRoleIDs.

Problem:
I am trying to restrict access to folders by UserID:

      * logged-in UserIDs with UserRoleID 1 can see everything.

      * logged-in UserIDs with UserRoleID 3 can see everything except content in folder /admin/.

      * logged-in UserIDs with UserRoleID 5 can see everything except content in folders /admin/ and /liaison/.

What I have tried:
I have worked on this task for much of today. In application.cfc, I have experimented with different CFIF statements, and finally came up with this:

<!--- if visitor is not logged in, she does not see restricted folders, and gets sent to LoginForm.cfm --->
    <cfif session.auth.isLoggedIn is False>

<!--- cfset secure folders --->
<cfset var securefolders = "admin,liaison,principal">
      <cfif listFindNoCase(securefolders,listFirst(cgi.script_name,"/"))>
      <cfinclude template="LoginForm.cfm">
      <cfabort>
    </cfif>
    </cfif>
   

<!--- if visitor is logged in as UserRoleID 1, then she can see all folders --->
    <cfif session.auth.isLoggedIn is True and session.auth.UserID is 1>
<cfset var securefolders = "">
    <cfif listFindNoCase(securefolders,listFirst(cgi.script_name,"/"))>
      <cfinclude template="LoginForm.cfm">
      <cfabort>
    </cfif>
    </cfif>


<!--- if visitor is logged in as UserRoleID 3, then she can see all folders except folder /admin/ --->
    <cfif session.auth.isLoggedIn is True and session.auth.UserID is 3>
<cfset var securefolders = "admin">
    <cfif listFindNoCase(securefolders,listFirst(cgi.script_name,"/"))>
      <cfinclude template="LoginForm.cfm">
      <cfabort>
    </cfif>
    </cfif>


<!--- if visitor is logged in as UserRoleID 5, then she can see all folders except folder /admin/ and /liaison/ --->
    <cfif session.auth.isLoggedIn is True and session.auth.UserID is 3>
<cfset var securefolders = "admin,liaison">
    <cfif listFindNoCase(securefolders,listFirst(cgi.script_name,"/"))>
      <cfinclude template="LoginForm.cfm">
      <cfabort>
    </cfif>
    </cfif>

But, ColdFusion rejects my work, above. CF tells me that <cfset var securefolders = "admin,liaison,principal"> must be placed first inside function onRequestStart, which ruins the CFIF scheme I developed, above.

What is a better way to restrict access to folders by UserRoleID?

Thank you as always for any advice. I attach below my current application.cfc.

Eric

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157:

<!--- Filename: Application.cfc Created by: Raymond Camden ([email protected]) Modified by: Eric B, gdemaria, _agx_ July 2010 ---> <cfcomponent output="false"> <!--- Name the application. ---> <cfset this.name="NBPTS"> <!--- Turn on session management. ---> <cfset this.sessionManagement="true"> <!--- set path to cfform.js ---> <cfparam name="request.CFFORM_JS_Lib" type="string" default="http://76.12.181.86/CFIDE/scripts/cfform.js" /> <!--- function: onApplicationStart ---> <cffunction name="onApplicationStart" output="false" returnType="void"> <!--- Any variables set here can be used by all of the application's pages ---> <cfset APPLICATION.dataSource = "ebwebwork"> <cfset APPLICATION.companyName = "NBPTS"> </cffunction> <cffunction name="clearSessionVariables" returntype="void"> <!--- defined all session variables, so they will always exist ----> <cfset session.auth = structNew()> <cfset session.auth.isLoggedIn = false> <cfset session.auth.UserID = ""> <cfset session.auth.Title = ""> <cfset session.auth.FirstName = ""> <cfset session.auth.MiddleInitial = ""> <cfset session.auth.LastName = ""> <cfset session.auth.Address = ""> <cfset session.auth.City = ""> <cfset session.auth.State = ""> <cfset session.auth.ZIP = ""> <cfset session.auth.Telephone = ""> <cfset session.auth.Sex = ""> <cfset session.auth.DateofBirth = ""> <cfset session.auth.Race = ""> <cfset session.auth.UserEmail = ""> <cfset session.auth.UserPassword = ""> <cfset session.auth.UserRoleID = ""> <cfset session.auth.lastError = ""> </cffunction> <cffunction name="onSessionStart" returntype="void"> <!--- defined all session variables, so they will always exist ----> <cfset clearSessionVariables()> </cffunction> <!--- function: onRequestStart ---> <cffunction name="onRequestStart" output="false" returnType="void"> <cfset var securefolders = "temp,admin,liaison,principal,index.cfm,nbpts_principals.cfm,nbpts_liaisons.cfm,nbpts_process.cfm"> <cfset request.encryptionKey = "xxxxxx"> <!--- if query_string contains cast(, then abort! ---> <cfif cgi.query_string contains "cast("> <cfabort> </cfif> <!--- begin cfif isDefined("form.userEmail") and isDefined("form.userPassword") ---> <cfif isDefined("form.userEmail") and isDefined("form.userPassword") and isDefined("form.doLogin")> <!--- user is attempting to log in, so process the login request ----> <cfif NOT checkLogin(form.userEmail, form.userPassword)> <cfinclude template="LoginForm.cfm"> <!--- login failed, so show login form ----> <cfabort> <!--- close cfif NOT checkLogin(form.userEmail, form.userPassword) ---> </cfif> <!--- close cfif isDefined("form.userEmail") and isDefined("form.userPassword") and isDefined("form.doLogin") ---> </cfif> <cfif listFindNoCase(securefolders,listFirst(cgi.script_name,"/")) and session.auth.isLoggedIn is False> <cfinclude template="LoginForm.cfm"> <cfabort> </cfif> </cffunction> <!--- close function: onRequestStart ---> <!--- begin cfif isDefined("form.doLogin") ---> <cfif isDefined("form.doLogin")> <!--- begin function checkLogin ---> <cffunction name="checkLogin"> <cfargument name="p_UserEmail" required=false default="" /> <cfargument name="p_password" required=false default="" /> <cfset var UserPassword = trim(arguments.p_password)> <cfset var UserEmail = trim(arguments.p_UserEmail)> <cfset var getUser = ""> <cftry> <cfif len(UserPassword) eq 0 or len(UserEmail) eq 0> <cfthrow message="Please enter email address and password"> </cfif> <cfquery name="getUser" datasource="#APPLICATION.dataSource#"> SELECT UserID, FirstName, UserRoleID, UserEmail, UserPassword FROM tbl_NBPTS_Principals WHERE UserEmail = <cfqueryparam cfsqltype="cf_sql_varchar" value="#UserEmail#" maxlength="255"> </cfquery> <cfif getuser.recordCount eq 0> <cfthrow message="Incorrect email address and/or password. Be sure to enter the correct, original email address with which you registered at the NBPTS Principals Recruitment Portal. Please type your password carefully."> <cfelseif getUser.UserPassword is not UserPassword> <cfthrow message="Invalid Password."> </cfif> <cfset clearSessionVariables()> <cfset SESSION.auth.isLoggedIn = "Yes"> <cfset SESSION.auth.UserID = getUser.UserID> <cfset SESSION.auth.FirstName = getUser.firstName> <cfset SESSION.auth.UserRoleID = getUser.UserRoleID> <cfset SESSION.auth.UserEmail = getUser.UserEmail> <cfset SESSION.auth.lastError = ""> <!--- Now that user is logged in, send her to web root ---> <cflocation url="/"> <cfreturn true> <cfcatch> <cfset clearSessionVariables()> <cfset SESSION.auth.lastError = cfcatch.message> <cfreturn false> </cfcatch> </cftry> </cffunction> <!--- close function checkLogin ---> <!--- close cfif isDefined("form.doLogin") ---> </cfif> </cfcomponent>

Answer : How to restrict access to specific folders using variable "UserRoleID"?

Windows Live OneCare has been discontinued on 30.6.2009 and and has been built on RAV technology. Successor is Windows security essentials - a freeware tool. In short OneCare it is history...
I quite often use antimalware (or shortly MBAM) from Malwarebytes - a freeware version. This version does not have realtime scan, but it is quite effective against all sorts of malware.