I have talked before about branch specific permissions on the site tree which go a long way to creating effective “members only” sections to your website. Recently, however, I was tasked with a situation that was slightly different.
CF Webtools works with a lot of financial sites using a product called Finwin. This is one of the first times we have put a financial site into Farcry so the unique challenge was to create a displayTeaser.cfm page for dmNews but have the content of the news stories protected. This sounds easy enough but, here is where I ran into an issue…
Farcry automatically associates an objectid with a “type” and automatically looks for a displayPage.cfm file associated with that type. The branch specific permissions are handled by the display.cfm file inside the core files. So, here is what I did to accomplish this task:
First I created the displayTeaser.cfm file and two displayPage files for the dmNews type in /farcry/
The teaser works like any other news teaser… Display the title, the teaser text and a link to the full story. Easy enough. The purpose of two displayPage files is so the user can select whether or not to protect each individual story rather than selecting a global yes or no protection for dmNews. displayPageDefault.cfm is a standard display page. Show the title and body of the story. displayPageProtected.cfm is an exact copy of displayPageDefault.cfm with one exception… The following code exists at the top of the page to check view permissions:
<!--- determine the policy groups (or roles) this user belongs to ---> <cfif isDefined("session.dmsec.authentication.lPolicyGroupIDs") and listLen(session.dmsec.authentication.lPolicyGroupIDs)> <!--- concatenate logged in group permissions with anonymous group permissions ---> <cfset lpolicyGroupIds = session.dmsec.authentication.lPolicyGroupIDs & "," & application.dmsec.ldefaultpolicygroups> <cfelse> <!--- user not logged in, clear out ---> <cfset lpolicyGroupIds = ''> </cfif> <!--- check permissions on the current nav node ---> <cfscript> oAuthorisation = request.dmsec.oAuthorisation; oAuthentication = request.dmsec.oAuthentication; iHasViewPermission = oAuthorisation.checkInheritedPermission(objectid=request.navid,permissionName="View",lpolicyGroupIds=lpolicyGroupIds); </cfscript> <!--- if the user is unable to view the object, then logout and send to login form ---> <cfif iHasViewPermission NEQ 1> <!--- log out the user ---> <cfset oAuthentication.logout()> <cflocation url="/farcry/login.cfm?returnUrl=#application.url.conjurer#?#URLEncodedFormat(cgi.query_string)#" addtoken="false"> <cfabort> </cfif>
Notice in the first else, if session.dmsec.authentication.lPolicyGroupIDs is not defined or not set then we set lPolicyGroupIds = ”. This will affect the call to oAuthorisation.checkInheritedPermission() and the result will be that the user is unauthorized to view the content.