axa
|
| Posted: 08/29/2002, 4:45 PM |
|
CC function CheckSecurity(iLevel) checks only access level.
I'm not sure but it looks like that anybody with the same access level can browse protected pages if Session("UserID") is not empty.
For example: Admin is logged in and anybody with lower access level can go to any page and screw up the data.
Is there in CC for user filtering?
I know that I can use cookies and check if userID in cookies = session userID ...
|
|
|
 |
Nicole
|
| Posted: 08/30/2002, 2:44 AM |
|
Axa,
some explanation about CheckSecurity() function.
iLevel parameter is the page access level. Only users who have UserRights equals or higher(!) iLevel value are permitted to access this page. The users with UserRights lower then iLevel are redirected to login page.
E.g. if UserRights = 2 he is able to access pages with iLevel=1,2. But he cannot access page with iLevel=3
In case you want to forbid users to modify records which are not related to them, then you should check it in page open event using code like:
ASP
'I mean compare the UserID value stored in session and compare it to user_id of
'edited record. In case they are different it means that user trying to access
'the record that belongs to another user. So he could be redirected back from
'the page.
user_id = dlookup("user_id", "table_name", "id_field= " & GetParam("passed_id_field"))
if CLngSession("UserID") <> CLng(user_id) then
response.redirect "page_name.asp"
end if
|
|
|
|
|
