Using Application Security

<cflogin> and related tags are responsible for logging users in to and out of applications. It is up to the developer to implement access control based on role affiliation.

Explicit Access Control

To determine whether a logged-in user occupies a specific role, use the IsUserInRole() function. IsUserInRole() takes the name of a role as an argument and returns trUE or FALSE.

The following example displays a series of menu options, one of which is available only to administrators:

 <li><a href="browse.cfm">Browse</a></li> <li><a href="add.cfm">Add</a></li> <cfif IsUserInRole("admin")>   <li><a HREF="approve.cfm">Approve</a></li> </cfif> <li><a href="/login/logout.cfm">Logout</a></li> 

NOTE

It is dangerous to merely restrict access by hiding menu options; the code that the menu actually calls must be protected too.

GetAuthUser() can be used at any time to determine the name of the authenticated user (the name that was passed to <cfloginuser>). This can be used for additional processing if needed.

Component Based Access Control

ColdFusion Components are reusable application components used within ColdFusion applications. ColdFusion Components are files containing sets of related functions (known as methods), which are defined using the <cffunction> tag.

For greater security and access control when building sophisticated applications, individual components' methods may be secured by listing the ROLES that have rights to them. The <cffunction> roles attribute takes a list of roles into which an authenticated user must have been authorized in order to be able to execute the method.

ColdFusion Components are covered in Chapter 31, "ColdFusion Components."