Use array to limit access

Discussion in 'ASP General' started by Drew, Mar 19, 2008.

  1. Drew

    Drew Guest

    I am trying to limit access to certain pages on our intranet, and have been
    using the following code to do so,

    dim Login, L, LL, StringLen, NTUser
    Set Login = Request.ServerVariables("LOGON_USER")
    L=Len(Login)
    LL=InStr(Login, "\")
    StringLen=L-LL
    NTUser = (Right(Login, StringLen))

    If NTUser <> "DLaing" Then
    If NTUser <> "DLowe" Then
    If NTUser <> "DWoods" Then
    Response.Redirect("http://swvtc06/swvtc/default.asp")
    End If
    End If
    End If

    The problem is that if I want to add more users to have access to the page,
    then I have to add another IF and END IF line. I would like to implement
    some way to do this using an array. For instance put the usernames into the
    array and then if it matches then allow access, if not then redirect. I
    know this is not a bulletproof way to do this, and there are more robust
    methods, but this works very well for our user base and our needs. I am
    having a really bad case of brain block, and cannot, for the life of me,
    figure this out.

    Thanks,
    Drew
    Drew, Mar 19, 2008
    #1
    1. Advertising

  2. Drew

    Tim Slattery Guest

    "Drew" <> wrote:

    >I am trying to limit access to certain pages on our intranet, and have been
    >using the following code to do so,
    >
    >dim Login, L, LL, StringLen, NTUser
    >Set Login = Request.ServerVariables("LOGON_USER")
    >L=Len(Login)
    >LL=InStr(Login, "\")
    >StringLen=L-LL
    >NTUser = (Right(Login, StringLen))
    >
    >If NTUser <> "DLaing" Then
    > If NTUser <> "DLowe" Then
    > If NTUser <> "DWoods" Then
    > Response.Redirect("http://swvtc06/swvtc/default.asp")
    > End If
    > End If
    >End If
    >
    >The problem is that if I want to add more users to have access to the page,
    >then I have to add another IF and END IF line. I would like to implement
    >some way to do this using an array. For instance put the usernames into the
    >array and then if it matches then allow access, if not then redirect. I
    >know this is not a bulletproof way to do this, and there are more robust
    >methods, but this works very well for our user base and our needs. I am
    >having a really bad case of brain block, and cannot, for the life of me,
    >figure this out.


    I'd recommend using the Dictionary object (Set xxx =
    CreateObject("Scripting.Dictionary"), which is a hash map. Put your
    allowed userids in a file. When the application starts, read the file
    and use it to load the dictionary. Then when a user comes in, just
    check to see if the userid is in the dictionary.

    Here's a tutorial: http://www.asptutorial.info/learn/Dictionary.asp

    --
    Tim Slattery
    MS MVP(Shell/User)

    http://members.cox.net/slatteryt
    Tim Slattery, Mar 19, 2008
    #2
    1. Advertising

  3. "Tim Slattery" <> wrote in message
    news:...
    > "Drew" <> wrote:
    >
    > >I am trying to limit access to certain pages on our intranet, and have

    been
    > >using the following code to do so,
    > >
    > >dim Login, L, LL, StringLen, NTUser
    > >Set Login = Request.ServerVariables("LOGON_USER")
    > >L=Len(Login)
    > >LL=InStr(Login, "\")
    > >StringLen=L-LL
    > >NTUser = (Right(Login, StringLen))
    > >
    > >If NTUser <> "DLaing" Then
    > > If NTUser <> "DLowe" Then
    > > If NTUser <> "DWoods" Then
    > > Response.Redirect("http://swvtc06/swvtc/default.asp")
    > > End If
    > > End If
    > >End If
    > >
    > >The problem is that if I want to add more users to have access to the

    page,
    > >then I have to add another IF and END IF line. I would like to implement
    > >some way to do this using an array. For instance put the usernames into

    the
    > >array and then if it matches then allow access, if not then redirect. I
    > >know this is not a bulletproof way to do this, and there are more robust
    > >methods, but this works very well for our user base and our needs. I am
    > >having a really bad case of brain block, and cannot, for the life of me,
    > >figure this out.

    >
    > I'd recommend using the Dictionary object (Set xxx =
    > CreateObject("Scripting.Dictionary"), which is a hash map. Put your
    > allowed userids in a file. When the application starts, read the file
    > and use it to load the dictionary. Then when a user comes in, just
    > check to see if the userid is in the dictionary.
    >


    Where would you suggest the dictionary be stored??

    --
    Anthony Jones - MVP ASP/ASP.NET
    Anthony Jones, Mar 19, 2008
    #3
  4. "Drew" <> wrote in message
    news:...
    > I am trying to limit access to certain pages on our intranet, and have

    been
    > using the following code to do so,
    >
    > dim Login, L, LL, StringLen, NTUser
    > Set Login = Request.ServerVariables("LOGON_USER")
    > L=Len(Login)
    > LL=InStr(Login, "\")
    > StringLen=L-LL
    > NTUser = (Right(Login, StringLen))
    >
    > If NTUser <> "DLaing" Then
    > If NTUser <> "DLowe" Then
    > If NTUser <> "DWoods" Then
    > Response.Redirect("http://swvtc06/swvtc/default.asp")
    > End If
    > End If
    > End If
    >
    > The problem is that if I want to add more users to have access to the

    page,
    > then I have to add another IF and END IF line. I would like to implement
    > some way to do this using an array. For instance put the usernames into

    the
    > array and then if it matches then allow access, if not then redirect. I
    > know this is not a bulletproof way to do this, and there are more robust
    > methods, but this works very well for our user base and our needs. I am
    > having a really bad case of brain block, and cannot, for the life of me,
    > figure this out.
    >



    First lets deal with that user name thing:-

    Function GetUser()

    sLogon = Request.ServerVariables("LOGON_USER")

    GetUser = Mid(sLogon, InStr(sLogon, "\"))

    End Function

    Note no Set when getting LOGON_USER and Mid third parameter is optional
    which when missing means 'to the end of the string'.

    Const gcsAllowedUser = "DLang; DLowe; DWood;"

    If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then
    Response.Redirect("http://swvtc06/swvtc/default.asp")
    End If

    If you want to restrict a set of pages then put the above code in an ASP
    page of its own, say priviledged.asp in the root of your web then in each
    page you want to protect:-

    <!-- #include virtual="/priviledged.asp" -->


    --
    Anthony Jones - MVP ASP/ASP.NET
    Anthony Jones, Mar 19, 2008
    #4
  5. Drew

    Drew Guest

    "Anthony Jones" <> wrote in message
    news:...
    > "Drew" <> wrote in message
    > news:...
    >> I am trying to limit access to certain pages on our intranet, and have

    > been
    >> using the following code to do so,
    >>
    >> dim Login, L, LL, StringLen, NTUser
    >> Set Login = Request.ServerVariables("LOGON_USER")
    >> L=Len(Login)
    >> LL=InStr(Login, "\")
    >> StringLen=L-LL
    >> NTUser = (Right(Login, StringLen))
    >>
    >> If NTUser <> "DLaing" Then
    >> If NTUser <> "DLowe" Then
    >> If NTUser <> "DWoods" Then
    >> Response.Redirect("http://swvtc06/swvtc/default.asp")
    >> End If
    >> End If
    >> End If
    >>
    >> The problem is that if I want to add more users to have access to the

    > page,
    >> then I have to add another IF and END IF line. I would like to implement
    >> some way to do this using an array. For instance put the usernames into

    > the
    >> array and then if it matches then allow access, if not then redirect. I
    >> know this is not a bulletproof way to do this, and there are more robust
    >> methods, but this works very well for our user base and our needs. I am
    >> having a really bad case of brain block, and cannot, for the life of me,
    >> figure this out.
    >>

    >
    >
    > First lets deal with that user name thing:-
    >
    > Function GetUser()
    >
    > sLogon = Request.ServerVariables("LOGON_USER")
    >
    > GetUser = Mid(sLogon, InStr(sLogon, "\"))
    >
    > End Function
    >
    > Note no Set when getting LOGON_USER and Mid third parameter is optional
    > which when missing means 'to the end of the string'.
    >
    > Const gcsAllowedUser = "DLang; DLowe; DWood;"
    >
    > If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then
    > Response.Redirect("http://swvtc06/swvtc/default.asp")
    > End If
    >
    > If you want to restrict a set of pages then put the above code in an ASP
    > page of its own, say priviledged.asp in the root of your web then in each
    > page you want to protect:-
    >
    > <!-- #include virtual="/priviledged.asp" -->
    >
    >
    > --
    > Anthony Jones - MVP ASP/ASP.NET


    Thanks Anthony, that looks to work great... I don't use this on all pages,
    just a few and this will work great!

    Thanks,
    Drew
    Drew, Mar 19, 2008
    #5
  6. Drew

    Jeff Dillon Guest

    I would store usernames in a database instead of an array in an ASP page
    that you would have to maintain.

    Jeff

    "Drew" <> wrote in message
    news:...
    >I am trying to limit access to certain pages on our intranet, and have been
    >using the following code to do so,
    >
    > dim Login, L, LL, StringLen, NTUser
    > Set Login = Request.ServerVariables("LOGON_USER")
    > L=Len(Login)
    > LL=InStr(Login, "\")
    > StringLen=L-LL
    > NTUser = (Right(Login, StringLen))
    >
    > If NTUser <> "DLaing" Then
    > If NTUser <> "DLowe" Then
    > If NTUser <> "DWoods" Then
    > Response.Redirect("http://swvtc06/swvtc/default.asp")
    > End If
    > End If
    > End If
    >
    > The problem is that if I want to add more users to have access to the
    > page, then I have to add another IF and END IF line. I would like to
    > implement some way to do this using an array. For instance put the
    > usernames into the array and then if it matches then allow access, if not
    > then redirect. I know this is not a bulletproof way to do this, and there
    > are more robust methods, but this works very well for our user base and
    > our needs. I am having a really bad case of brain block, and cannot, for
    > the life of me, figure this out.
    >
    > Thanks,
    > Drew
    >
    Jeff Dillon, Mar 19, 2008
    #6
  7. Drew

    Drew Guest

    I agree, although this is just for testing, after I have already assigned
    permissions to the DB, and I want to allow a few users to test the
    application before releasing it. The process to assign permissions is out
    of my hands, and takes a lot longer than it should (I have to submit form
    after form to do it, and I would rather not do that for testing)...

    Thanks,
    Drew

    "Jeff Dillon" <> wrote in message
    news:...
    >I would store usernames in a database instead of an array in an ASP page
    >that you would have to maintain.
    >
    > Jeff
    >
    > "Drew" <> wrote in message
    > news:...
    >>I am trying to limit access to certain pages on our intranet, and have
    >>been using the following code to do so,
    >>
    >> dim Login, L, LL, StringLen, NTUser
    >> Set Login = Request.ServerVariables("LOGON_USER")
    >> L=Len(Login)
    >> LL=InStr(Login, "\")
    >> StringLen=L-LL
    >> NTUser = (Right(Login, StringLen))
    >>
    >> If NTUser <> "DLaing" Then
    >> If NTUser <> "DLowe" Then
    >> If NTUser <> "DWoods" Then
    >> Response.Redirect("http://swvtc06/swvtc/default.asp")
    >> End If
    >> End If
    >> End If
    >>
    >> The problem is that if I want to add more users to have access to the
    >> page, then I have to add another IF and END IF line. I would like to
    >> implement some way to do this using an array. For instance put the
    >> usernames into the array and then if it matches then allow access, if not
    >> then redirect. I know this is not a bulletproof way to do this, and
    >> there are more robust methods, but this works very well for our user base
    >> and our needs. I am having a really bad case of brain block, and cannot,
    >> for the life of me, figure this out.
    >>
    >> Thanks,
    >> Drew
    >>

    >
    >
    Drew, Mar 19, 2008
    #7
  8. Drew

    Jeff Dillon Guest

    You could just use NT permissions too, at the IIS or File System level.

    Create a local group on the server, and add the appropriate users to it.

    Jeff

    "Drew" <> wrote in message
    news:...
    >I agree, although this is just for testing, after I have already assigned
    >permissions to the DB, and I want to allow a few users to test the
    >application before releasing it. The process to assign permissions is out
    >of my hands, and takes a lot longer than it should (I have to submit form
    >after form to do it, and I would rather not do that for testing)...
    >
    > Thanks,
    > Drew
    >
    > "Jeff Dillon" <> wrote in message
    > news:...
    >>I would store usernames in a database instead of an array in an ASP page
    >>that you would have to maintain.
    >>
    >> Jeff
    >>
    >> "Drew" <> wrote in message
    >> news:...
    >>>I am trying to limit access to certain pages on our intranet, and have
    >>>been using the following code to do so,
    >>>
    >>> dim Login, L, LL, StringLen, NTUser
    >>> Set Login = Request.ServerVariables("LOGON_USER")
    >>> L=Len(Login)
    >>> LL=InStr(Login, "\")
    >>> StringLen=L-LL
    >>> NTUser = (Right(Login, StringLen))
    >>>
    >>> If NTUser <> "DLaing" Then
    >>> If NTUser <> "DLowe" Then
    >>> If NTUser <> "DWoods" Then
    >>> Response.Redirect("http://swvtc06/swvtc/default.asp")
    >>> End If
    >>> End If
    >>> End If
    >>>
    >>> The problem is that if I want to add more users to have access to the
    >>> page, then I have to add another IF and END IF line. I would like to
    >>> implement some way to do this using an array. For instance put the
    >>> usernames into the array and then if it matches then allow access, if
    >>> not then redirect. I know this is not a bulletproof way to do this, and
    >>> there are more robust methods, but this works very well for our user
    >>> base and our needs. I am having a really bad case of brain block, and
    >>> cannot, for the life of me, figure this out.
    >>>
    >>> Thanks,
    >>> Drew
    >>>

    >>
    >>

    >
    >
    Jeff Dillon, Mar 19, 2008
    #8
  9. Drew

    Drew Guest

    "Jeff Dillon" <> wrote in message
    news:...
    > You could just use NT permissions too, at the IIS or File System level.
    >
    > Create a local group on the server, and add the appropriate users to it.
    >
    > Jeff


    Very true, but as I said in an earlier message, setting permissions is
    easier said than done... the hoops they make me jump through are terrible!

    Drew
    Drew, Mar 19, 2008
    #9
  10. Drew

    Tim Slattery Guest

    "Anthony Jones" <> wrote:


    >Where would you suggest the dictionary be stored??


    Application object

    --
    Tim Slattery
    MS MVP(Shell/User)

    http://members.cox.net/slatteryt
    Tim Slattery, Mar 19, 2008
    #10
  11. "Tim Slattery" <> wrote in message
    news:...
    > "Anthony Jones" <> wrote:
    >
    >
    > >Where would you suggest the dictionary be stored??

    >
    > Application object
    >


    The application object will not accept Single threaded objects such as the
    dictionary object.

    --
    Anthony Jones - MVP ASP/ASP.NET
    Anthony Jones, Mar 19, 2008
    #11
  12. Anthony wrote on Wed, 19 Mar 2008 16:41:11 -0000:

    > "Drew" <> wrote in message
    > news:...
    >> I am trying to limit access to certain pages on our intranet, and
    >> have

    > been
    >> using the following code to do so,


    >> dim Login, L, LL, StringLen, NTUser
    >> Set Login = Request.ServerVariables("LOGON_USER")
    >> L=Len(Login)
    >> LL=InStr(Login, "\")
    >> StringLen=L-LL
    >> NTUser = (Right(Login, StringLen))


    >> If NTUser <> "DLaing" Then
    >> If NTUser <> "DLowe" Then
    >> If NTUser <> "DWoods" Then
    >> Response.Redirect("http://swvtc06/swvtc/default.asp")
    >> End If
    >> End If
    >> End If


    >> The problem is that if I want to add more users to have access to the

    > page,
    >> then I have to add another IF and END IF line. I would like to
    >> implement some way to do this using an array. For instance put the
    >> usernames into

    > the
    >> array and then if it matches then allow access, if not then redirect.
    >> I know this is not a bulletproof way to do this, and there are more
    >> robust methods, but this works very well for our user base and our
    >> needs. I am having a really bad case of brain block, and cannot, for
    >> the life of me, figure this out.




    > First lets deal with that user name thing:-


    > Function GetUser()


    > sLogon = Request.ServerVariables("LOGON_USER")


    > GetUser = Mid(sLogon, InStr(sLogon, "\"))


    > End Function


    > Note no Set when getting LOGON_USER and Mid third parameter is optional
    > which when missing means 'to the end of the string'.


    > Const gcsAllowedUser = "DLang; DLowe; DWood;"


    > If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then
    > Response.Redirect("http://swvtc06/swvtc/default.asp")
    > End If


    > If you want to restrict a set of pages then put the above code in an ASP
    > page of its own, say priviledged.asp in the root of your web then in each
    > page you want to protect:-


    If a username that is a substring of an allowed name, for example Lowe or
    Wood, is added to the system, they'll be allowed access too without being
    added to the gcsAllowedUser list ...

    While it should work for a simple setup, I just wanted to point out a
    possible pitfall of using this method on a wider scale.

    --
    Dan
    Daniel Crichton, Mar 20, 2008
    #12
  13. Daniel Crichton wrote:
    >
    >> Const gcsAllowedUser = "DLang; DLowe; DWood;"

    >
    >> If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then
    >> Response.Redirect("http://swvtc06/swvtc/default.asp")
    >> End If

    >
    >> If you want to restrict a set of pages then put the above code in an
    >> ASP page of its own, say priviledged.asp in the root of your web
    >> then in each page you want to protect:-

    >
    > If a username that is a substring of an allowed name, for example
    > Lowe or Wood, is added to the system, they'll be allowed access too
    > without being added to the gcsAllowedUser list ...
    >


    This modification should remove that problem:

    Const gcsAllowedUser = ";DLang;DLowe;DWood;"
    If Instr(gcsAllowedUsers, ";" & GetUser() & ";") = 0 Then

    Of course, if your network is allowing duplicate user ids, then you have
    another problem.
    If users from multiple domain names are possible (thus raising the
    likelihood of duplicate user ids), then you need to stop removing the
    domain from logon_user and include the domains in gcsAllowedUser:
    Const gcsAllowedUser = ";dc1\DLang;dc1\DLowe;dc2\DLowe;"




    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Mar 20, 2008
    #13
  14. Drew

    Jeff Dillon Guest

    So you don't have console access to the server?

    Jeff
    "Drew" <> wrote in message
    news:%...
    > "Jeff Dillon" <> wrote in message
    > news:...
    >> You could just use NT permissions too, at the IIS or File System level.
    >>
    >> Create a local group on the server, and add the appropriate users to it.
    >>
    >> Jeff

    >
    > Very true, but as I said in an earlier message, setting permissions is
    > easier said than done... the hoops they make me jump through are terrible!
    >
    > Drew
    >
    Jeff Dillon, Mar 20, 2008
    #14
  15. --
    Anthony Jones - MVP ASP/ASP.NET
    "Daniel Crichton" <> wrote in message
    news:%...
    > Anthony wrote on Wed, 19 Mar 2008 16:41:11 -0000:
    >
    > > "Drew" <> wrote in message
    > > news:...
    > >> I am trying to limit access to certain pages on our intranet, and
    > >> have

    > > been
    > >> using the following code to do so,

    >
    > >> dim Login, L, LL, StringLen, NTUser
    > >> Set Login = Request.ServerVariables("LOGON_USER")
    > >> L=Len(Login)
    > >> LL=InStr(Login, "\")
    > >> StringLen=L-LL
    > >> NTUser = (Right(Login, StringLen))

    >
    > >> If NTUser <> "DLaing" Then
    > >> If NTUser <> "DLowe" Then
    > >> If NTUser <> "DWoods" Then
    > >> Response.Redirect("http://swvtc06/swvtc/default.asp")
    > >> End If
    > >> End If
    > >> End If

    >
    > >> The problem is that if I want to add more users to have access to the

    > > page,
    > >> then I have to add another IF and END IF line. I would like to
    > >> implement some way to do this using an array. For instance put the
    > >> usernames into

    > > the
    > >> array and then if it matches then allow access, if not then redirect.
    > >> I know this is not a bulletproof way to do this, and there are more
    > >> robust methods, but this works very well for our user base and our
    > >> needs. I am having a really bad case of brain block, and cannot, for
    > >> the life of me, figure this out.

    >
    >
    >
    > > First lets deal with that user name thing:-

    >
    > > Function GetUser()

    >
    > > sLogon = Request.ServerVariables("LOGON_USER")

    >
    > > GetUser = Mid(sLogon, InStr(sLogon, "\"))

    >
    > > End Function

    >
    > > Note no Set when getting LOGON_USER and Mid third parameter is optional
    > > which when missing means 'to the end of the string'.

    >
    > > Const gcsAllowedUser = "DLang; DLowe; DWood;"

    >
    > > If Instr(gcsAllowedUsers, GetUser() & ";") = 0 Then
    > > Response.Redirect("http://swvtc06/swvtc/default.asp")
    > > End If

    >
    > > If you want to restrict a set of pages then put the above code in an ASP
    > > page of its own, say priviledged.asp in the root of your web then in

    each
    > > page you want to protect:-

    >
    > If a username that is a substring of an allowed name, for example Lowe or
    > Wood, is added to the system, they'll be allowed access too without being
    > added to the gcsAllowedUser list ...
    >
    > While it should work for a simple setup, I just wanted to point out a
    > possible pitfall of using this method on a wider scale.
    >



    Dan, nice catch. Although I wouldn't recommend this sort of thing for a
    wider scale anyway. A DB and some form of role based security would be a
    better general solution.

    --
    Anthony Jones - MVP ASP/ASP.NET
    Anthony Jones, Mar 20, 2008
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Per
    Replies:
    4
    Views:
    310
    Stephen Prinster
    May 6, 2006
  2. Replies:
    1
    Views:
    1,076
    Victor Bazarov
    Jun 28, 2005
  3. shrikant aher
    Replies:
    0
    Views:
    43
    shrikant aher
    May 6, 2014
  4. Mark Lawrence
    Replies:
    1
    Views:
    39
    Mark H Harris
    May 6, 2014
  5. Dennis Lee Bieber
    Replies:
    0
    Views:
    50
    Dennis Lee Bieber
    May 7, 2014
Loading...

Share This Page