Use array to limit access
in [ASP]
|
From: Bob Barrows [MVP] on 20 Mar 2008 10:50 Daniel Crichton wrote: > >> Const gcsAllowedUser = "DLang; DLowe; DWood;" > >> If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then >> Response.Redirect("http://swvtc06/swvtc/default.asp") >> End If > >> If you want to restrict a set of pages then put the above code in an >> ASP page of its own, say priviledged.asp in the root of your web >> then in each page you want to protect:- > > If a username that is a substring of an allowed name, for example > Lowe or Wood, is added to the system, they'll be allowed access too > without being added to the gcsAllowedUser list ... > This modification should remove that problem: Const gcsAllowedUser = ";DLang;DLowe;DWood;" If Instr(gcsAllowedUsers, ";" & GetUser() & ";") = 0 Then Of course, if your network is allowing duplicate user ids, then you have another problem. If users from multiple domain names are possible (thus raising the likelihood of duplicate user ids), then you need to stop removing the domain from logon_user and include the domains in gcsAllowedUser: Const gcsAllowedUser = ";dc1\DLang;dc1\DLowe;dc2\DLowe;" -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
From: Jeff Dillon on 20 Mar 2008 16:50 So you don't have console access to the server? Jeff "Drew" <drew.laing(a)swvtc.dmhmrsas.virginia.gov> wrote in message news:%239lCClfiIHA.2084(a)TK2MSFTNGP02.phx.gbl... > "Jeff Dillon" <jeffdillon(a)hotmailremove.com> wrote in message > news:uivIzBfiIHA.5968(a)TK2MSFTNGP04.phx.gbl... >> You could just use NT permissions too, at the IIS or File System level. >> >> Create a local group on the server, and add the appropriate users to it. >> >> Jeff > > Very true, but as I said in an earlier message, setting permissions is > easier said than done... the hoops they make me jump through are terrible! > > Drew >
From: Anthony Jones on 20 Mar 2008 18:25 -- Anthony Jones - MVP ASP/ASP.NET "Daniel Crichton" <msnews(a)worldofspack.com> wrote in message news:%23eIiMWpiIHA.5280(a)TK2MSFTNGP02.phx.gbl... > Anthony wrote on Wed, 19 Mar 2008 16:41:11 -0000: > > > "Drew" <drew.laing(a)swvtc.dmhmrsas.virginia.gov> wrote in message > > news:OZQKAqdiIHA.4076(a)TK2MSFTNGP05.phx.gbl... > >> I am trying to limit access to certain pages on our intranet, and > >> have > > been > >> using the following code to do so, > > >> dim Login, L, LL, StringLen, NTUser > >> Set Login = Request.ServerVariables("LOGON_USER") > >> L=Len(Login) > >> LL=InStr(Login, "\") > >> StringLen=L-LL > >> NTUser = (Right(Login, StringLen)) > > >> If NTUser <> "DLaing" Then > >> If NTUser <> "DLowe" Then > >> If NTUser <> "DWoods" Then > >> Response.Redirect("http://swvtc06/swvtc/default.asp") > >> End If > >> End If > >> End If > > >> The problem is that if I want to add more users to have access to the > > page, > >> then I have to add another IF and END IF line. I would like to > >> implement some way to do this using an array. For instance put the > >> usernames into > > the > >> array and then if it matches then allow access, if not then redirect. > >> I know this is not a bulletproof way to do this, and there are more > >> robust methods, but this works very well for our user base and our > >> needs. I am having a really bad case of brain block, and cannot, for > >> the life of me, figure this out. > > > > > First lets deal with that user name thing:- > > > Function GetUser() > > > sLogon = Request.ServerVariables("LOGON_USER") > > > GetUser = Mid(sLogon, InStr(sLogon, "\")) > > > End Function > > > Note no Set when getting LOGON_USER and Mid third parameter is optional > > which when missing means 'to the end of the string'. > > > Const gcsAllowedUser = "DLang; DLowe; DWood;" > > > If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then > > Response.Redirect("http://swvtc06/swvtc/default.asp") > > End If > > > If you want to restrict a set of pages then put the above code in an ASP > > page of its own, say priviledged.asp in the root of your web then in each > > page you want to protect:- > > If a username that is a substring of an allowed name, for example Lowe or > Wood, is added to the system, they'll be allowed access too without being > added to the gcsAllowedUser list ... > > While it should work for a simple setup, I just wanted to point out a > possible pitfall of using this method on a wider scale. > Dan, nice catch. Although I wouldn't recommend this sort of thing for a wider scale anyway. A DB and some form of role based security would be a better general solution. -- Anthony Jones - MVP ASP/ASP.NET
First
|
Prev
|
Pages: 1 2 3 Prev: How to setup a HTTP Server in the PC Next: How to use HTTP protocol to get documents ? |