1

What is a good full proof way to protect an admin section of a site? So that if someone is logged in with a standard user role they would be redirected back to the root. Would it better to do that in application.cfc or handle it on the individual pages?

spacerobot
  • 265
  • 1
  • 5
  • 23

1 Answers1

2

The quick and dirty is that you should be using role based permissions. If you load the user's roles on login, you should be able to check if the user has a specific role before accessing various functionality throughout the application.

Let's say you have a basic app like this:

/Applicaiton.cfc - global settings 
/index.cfm 
/admin/Application.cfc - admin settings, extends the root Application.cfc
/admin/index.cfm

In the Application.cfc in the admin app folder, you can use onRequestStart to check for the admin role in the user's session object, then kick out (redirect) users that don't have that role. This would give you a single place to control access to all the code under the /admin/ folder.

The problem with this question is that there are so many ways to address this issue and without knowing how your application is setup, there's no way to know if this can be addressed in such a simple manner with your current implementation.

Adrian J. Moreno
  • 14,350
  • 1
  • 37
  • 44
  • So I am just starting a new application. I haven't really done much except get the site skeleton up. I wanted to get the authentication and admin stuff all set before I build this out. Currently I only have one application.cfc in the root. Other than setting some mappings I have my LDAP authentication in that file. I tried to have on requeststart check cflogin roles and if it was User redirect back to the root but the redirect did not seem to be working. – spacerobot Jun 08 '21 at 15:06
  • 2
    The term, `did not seem to be working`, is very vague. I suggest editing your question by adding the code in question, the expected/desired results, and the actual results. – Dan Bracuk Jun 08 '21 at 17:42
  • I took some time and set it up like what was laid out above and got it working. – spacerobot Jun 09 '21 at 14:03