Problem with IsUserInRole

[bplessis]

Hey,

I'm building a web app with need some security.
For that i'm using an already defined database which handle user password
group membership and functionnality
par group or user.

So i filled the list of functionnality the user is allowed to use in the roles
param of cfloginuser.

This seem to work well until i need to dynamicaly check the autorisation.

Ex if i use

<cfset fct="36">

<cfif (IsUserInRole(#fct#))>
test
</cfif>

everything is fine, i got the correct output if the user as the functionnality
36
but if the varaible come from an SQL query then everything failed.
Example of what i mean:
<cfquery name="fonction" datasource="si">
SELECT * FROM fonctionnalite
WHERE num_rubrique=#rubrique.num#
</cfquery>
<cfloop query="fonction">

<cfif (IsUserInRole(#fonction.num#))>
is authorized
</cfif>
</cfloop>

Any idea of how and/or why ?

PS: I'm using CFMX version 6,1,0,63958 hosted on linux

[bplessis]

Well if using string instead of number everything work.
I'd prefer number altough but ...

[SamCurren]

Don't put # signs around your variable And no error will occur.


<cfif IsUserInRole(fonction.num)>
is authorized
</cfif>

[bplessis]

Nope, not better.

Altough it work with or without '#' when using libelle (string)
Nothing work when using the id (number).

Weird.

[Sarge]

Can we see the complete CFLOGIN code? What it looks like to me is you are
looping over the IsUserInRole call, so the value of fonction.num will change
with each row retrieved. And I'm sure you know you assign roles to users with
<cfloginuser>. Now a more optimal way to do this is to create a list from the
retrieved records, then pass the list to <cfloginuser>: <cfquery
name='fonction' datasource='si'> SELECT * FROM fonctionnalite WHERE
num_rubrique=#rubrique.num# </cfquery> <cfloginuser name='#j_username#'
password='#j_password#' roles='#valueList(fonction.num)#> Now your
IsUserInRole should work properly. Remember you can only check against one role
at a time, so you may need an IF-ELSE block to go through all of the possible
roles. HTH,

[bplessis]

Here is the <cflogin> code. Mostly taken from some snippet in the livedoc site.

PS: I do loop on some row and apply IsUserInRole on result but it's to
dynamicaly generate the application menu.


<cflogin>
<cfif NOT IsDefined("cflogin")>
<cfinclude template="loginform.cfm">
<cfabort>
<cfelse>
<cfif cflogin.name IS "" OR cflogin.password IS "">
<cfoutput>
<H2>You must enter text in both the User Name and Password
fields</H2>
</cfoutput>
<cfinclude template="loginform.cfm">
<cfabort>
<cfelse>

<!--- search login number --->
<cfquery name="loginQuery" dataSource="sidys">
SELECT login, num, num_groupe
FROM log_personne
WHERE pass='#cflogin.password#'
AND login='#cflogin.name#'
</cfquery>
<!--- obtain groups --->
<cfquery name="groupQuery" dataSource="sidys">
SELECT num, nom
FROM groupe
WHERE num='#loginQuery.num_groupe#'
</cfquery>

<!--- query list of roles --->
<cfquery name="droits" datasource="sidys">
SELECT num_fonctionnalite AS fct, libelle
....
UNION
SELECT num_fonctionnalite AS fct, libelle
......
</cfquery>

<cfif loginQuery.num NEQ "">
<cfloginuser name = "#cflogin.name#" password =
"#cflogin.password#"
roles = "#ValueList(droits.libelle)#" />
<cfelse>
<cfoutput>
<H2>Your login information is not valid.<br>
Please Try again</H2>
</cfoutput>
<cfinclude template="loginform.cfm">
<cfabort>
</cfif>
</cfif>
</cfif>
</cflogin>