Use array to limit access

[Drew]

I am trying to limit access to certain pages on our intranet, and have been
using the following code to do so,

dim Login, L, LL, StringLen, NTUser
Set Login = Request.ServerVariables("LOGON_USER")
L=Len(Login)
LL=InStr(Login, "\")
StringLen=L-LL
NTUser = (Right(Login, StringLen))

If NTUser <> "DLaing" Then
If NTUser <> "DLowe" Then
If NTUser <> "DWoods" Then
Response.Redirect("http://swvtc06/swvtc/default.asp")
End If
End If
End If

The problem is that if I want to add more users to have access to the page,
then I have to add another IF and END IF line. I would like to implement
some way to do this using an array. For instance put the usernames into the
array and then if it matches then allow access, if not then redirect. I
know this is not a bulletproof way to do this, and there are more robust
methods, but this works very well for our user base and our needs. I am
having a really bad case of brain block, and cannot, for the life of me,
figure this out.

Thanks,
Drew

 

[Tim Slattery]

I am trying to limit access to certain pages on our intranet, and have been
using the following code to do so,

dim Login, L, LL, StringLen, NTUser
Set Login = Request.ServerVariables("LOGON_USER")
L=Len(Login)
LL=InStr(Login, "\")
StringLen=L-LL
NTUser = (Right(Login, StringLen))

If NTUser <> "DLaing" Then
If NTUser <> "DLowe" Then
If NTUser <> "DWoods" Then
Response.Redirect("http://swvtc06/swvtc/default.asp")
End If
End If
End If

The problem is that if I want to add more users to have access to the page,
then I have to add another IF and END IF line. I would like to implement
some way to do this using an array. For instance put the usernames into the
array and then if it matches then allow access, if not then redirect. I
know this is not a bulletproof way to do this, and there are more robust
methods, but this works very well for our user base and our needs. I am
having a really bad case of brain block, and cannot, for the life of me,
figure this out.

I'd recommend using the Dictionary object (Set xxx =
CreateObject("Scripting.Dictionary"), which is a hash map. Put your
allowed userids in a file. When the application starts, read the file
and use it to load the dictionary. Then when a user comes in, just
check to see if the userid is in the dictionary.

Here's a tutorial: http://www.asptutorial.info/learn/Dictionary.asp

 

[Anthony Jones]

I'd recommend using the Dictionary object (Set xxx =
CreateObject("Scripting.Dictionary"), which is a hash map. Put your
allowed userids in a file. When the application starts, read the file
and use it to load the dictionary. Then when a user comes in, just
check to see if the userid is in the dictionary.

Where would you suggest the dictionary be stored??

 

[Anthony Jones]

I am trying to limit access to certain pages on our intranet, and have been
using the following code to do so,

dim Login, L, LL, StringLen, NTUser
Set Login = Request.ServerVariables("LOGON_USER")
L=Len(Login)
LL=InStr(Login, "\")
StringLen=L-LL
NTUser = (Right(Login, StringLen))

If NTUser <> "DLaing" Then
If NTUser <> "DLowe" Then
If NTUser <> "DWoods" Then
Response.Redirect("http://swvtc06/swvtc/default.asp")
End If
End If
End If

The problem is that if I want to add more users to have access to the page,
then I have to add another IF and END IF line. I would like to implement
some way to do this using an array. For instance put the usernames into the
array and then if it matches then allow access, if not then redirect. I
know this is not a bulletproof way to do this, and there are more robust
methods, but this works very well for our user base and our needs. I am
having a really bad case of brain block, and cannot, for the life of me,
figure this out.

First lets deal with that user name thing:-

Function GetUser()

sLogon = Request.ServerVariables("LOGON_USER")

GetUser = Mid(sLogon, InStr(sLogon, "\"))

End Function

Note no Set when getting LOGON_USER and Mid third parameter is optional
which when missing means 'to the end of the string'.

Const gcsAllowedUser = "DLang; DLowe; DWood;"

If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then
Response.Redirect("http://swvtc06/swvtc/default.asp")
End If

If you want to restrict a set of pages then put the above code in an ASP
page of its own, say priviledged.asp in the root of your web then in each
page you want to protect:-

<!-- #include virtual="/priviledged.asp" -->

 

[Drew]

First lets deal with that user name thing:-

Function GetUser()

sLogon = Request.ServerVariables("LOGON_USER")

GetUser = Mid(sLogon, InStr(sLogon, "\"))

End Function

Note no Set when getting LOGON_USER and Mid third parameter is optional
which when missing means 'to the end of the string'.

Const gcsAllowedUser = "DLang; DLowe; DWood;"

If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then
Response.Redirect("http://swvtc06/swvtc/default.asp")
End If

If you want to restrict a set of pages then put the above code in an ASP
page of its own, say priviledged.asp in the root of your web then in each
page you want to protect:-

<!-- #include virtual="/priviledged.asp" -->

Thanks Anthony, that looks to work great... I don't use this on all pages,
just a few and this will work great!

Thanks,
Drew

 

[Jeff Dillon]

I would store usernames in a database instead of an array in an ASP page
that you would have to maintain.

Jeff

 

[Drew]

I agree, although this is just for testing, after I have already assigned
permissions to the DB, and I want to allow a few users to test the
application before releasing it. The process to assign permissions is out
of my hands, and takes a lot longer than it should (I have to submit form
after form to do it, and I would rather not do that for testing)...

Thanks,
Drew

 

[Jeff Dillon]

You could just use NT permissions too, at the IIS or File System level.

Create a local group on the server, and add the appropriate users to it.

Jeff

 

[Drew]

You could just use NT permissions too, at the IIS or File System level.

Create a local group on the server, and add the appropriate users to it.

Jeff

Very true, but as I said in an earlier message, setting permissions is
easier said than done... the hoops they make me jump through are terrible!

Drew

 

[Tim Slattery]

Where would you suggest the dictionary be stored??

Application object

 

[Anthony Jones]

Application object

The application object will not accept Single threaded objects such as the
dictionary object.

 

[Daniel Crichton]

Anthony wrote on Wed, 19 Mar 2008 16:41:11 -0000:

First lets deal with that user name thing:-

Function GetUser()

sLogon = Request.ServerVariables("LOGON_USER")

GetUser = Mid(sLogon, InStr(sLogon, "\"))

End Function

Note no Set when getting LOGON_USER and Mid third parameter is optional
which when missing means 'to the end of the string'.

Const gcsAllowedUser = "DLang; DLowe; DWood;"

If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then
Response.Redirect("http://swvtc06/swvtc/default.asp")
End If

If you want to restrict a set of pages then put the above code in an ASP
page of its own, say priviledged.asp in the root of your web then in each
page you want to protect:-

If a username that is a substring of an allowed name, for example Lowe or
Wood, is added to the system, they'll be allowed access too without being
added to the gcsAllowedUser list ...

While it should work for a simple setup, I just wanted to point out a
possible pitfall of using this method on a wider scale.

 

[Bob Barrows [MVP]]

If a username that is a substring of an allowed name, for example
Lowe or Wood, is added to the system, they'll be allowed access too
without being added to the gcsAllowedUser list ...

This modification should remove that problem:

Const gcsAllowedUser = ";DLang;DLowe;DWood;"
If Instr(gcsAllowedUsers, ";" & GetUser() & ";") = 0 Then

Of course, if your network is allowing duplicate user ids, then you have
another problem.
If users from multiple domain names are possible (thus raising the
likelihood of duplicate user ids), then you need to stop removing the
domain from logon_user and include the domains in gcsAllowedUser:
Const gcsAllowedUser = ";dc1\DLang;dc1\DLowe;dc2\DLowe;"

 

[Jeff Dillon]

So you don't have console access to the server?

Jeff

 

[Anthony Jones]

--
Anthony Jones - MVP ASP/ASP.NET

Anthony wrote on Wed, 19 Mar 2008 16:41:11 -0000:










If a username that is a substring of an allowed name, for example Lowe or
Wood, is added to the system, they'll be allowed access too without being
added to the gcsAllowedUser list ...

While it should work for a simple setup, I just wanted to point out a
possible pitfall of using this method on a wider scale.

Dan, nice catch. Although I wouldn't recommend this sort of thing for a
wider scale anyway. A DB and some form of role based security would be a
better general solution.