|
Basic fusebox fuseaction to handle security references |
I am a big fan of fusebox, I like the way it handles inheritance, and I love the fact that it instinctively lends itself to a modular approach.
Part of the strength in using fusebox is in knowing exactly when each of the framework fuse actions run, and just what sort of functionality you can embed in them. In this case I'm using the "Pre fuse Action" to perform a basic security validation on any fuseactions in that circuit.
2 <cfargument name="myFusebox" />
3 <cfargument name="event" />
4
5
6 </cffunction>
Above is a blank prefuseaction, insert any code you want to perform on any of the other fuseactions in that circuit here. Note that it runs before the circuit action.
A basic session validation script could be something like:
2 <cfif NOT isdefined('session.loggedIn')>
3 <cfset session.logoutMsg = "Your session has timed out, please login again">
4 <cflocation url="index.cfm">
5
6 <cfif NOT isdefined('session.superadmin')>
7 <cfset session.logoutMsg = "You do not have sufficient rights to view Super admin functions">
8 <cflocation url="index.cfm">
9 </cfif>
10
11 </cfif>
In the code above I am checking for a valid session variables, and if it is not there sets an error message and redirects to the homepage.
This is a pretty basic "catch all - are you logged in?" type query, but if you have an administration circuit then it provides good basic fuseaction protection. I've extended it out one step further by creating a cfc call to this code which just returns true/false. Something like this:
I am currently extending this further with more robust security, and user roles and groups.
It's also worth adding addtoken="false" to your cflocation tag as you don't want the cfid and cftoken in your url, as someone could use it to hijack the session.
Originally there were several other conditional statements in there, based around a more complex security model but I edited it for this example. Must remember to actually validate edited ‘blog-code’.