Restrict Access to certain pages

[David]

NetTalk 4.29

On the Advanced tab of a nettalk procedure, there is a checkbox indicating that the user must be logged in before they can see the page.  Is there a way to perform a check and then re-direct if the check fails?  If not...

Bruce, please consider adding two additional prompts to the Advanced tab.

Prompt 1: a entry field where I can set my own criteria ex. if use:admin = False
Prompt 2: what page to display if prompt 1 fails

[ccordes]

Relatively easy -
Have some rights levels set up in your user database.
When the user logs in, you have the user record available. Set a session value like Rights to the user's level.
Usually restricting access to a page is done by hiding the link to that page rather than leaving the link and then having to stop the user with a 'You're not allowed here' page.
So you will see conditional statements on most field and link entries like in the menu system.
In any of the condition statements to hide fields or to hide the link to the page you put if p_web.gsv('CurrentRights') > somelevel

You can also add something like thsi to your procedure setup embed -
If p_web.GSV('rights') <> 3
     AccessErrorPage(p_web)
     return
end

AccessErrorPage would be some netwebpage procedure with a message.


HTH,
chris

[David]

Chris,

Thanks for your reply.  Yes, I have all the pages I do not want people visiting hidden via the menu and IF conditions that NetTalk has available.  However, if someone logs into the website as a base user and then types the ULR http://MyWebService/admin/createusers.html there is no control that says the user is not an administrator.

I have setup access rigths for the users and check the rights before displaying menu options, but as stated above, there is nothing stopping a user from typing the url directly in.

I will give your suggestion of embedding code into the procedure setup.  If I have to do that on every page I want to protect, then it is probably a good candidate for the template 

[ccordes]

You raise a great question.
In testing this, the person would need to include a session Id for a valid(active) session.
So if he uses his own sessionId bingo! he's in.
I will make a template of this today. because I know I will need it too.
Thanks for the hack. I usually depend on my brother to do that.

chris

[Bruce]

Version 4.30 has support for Access Levels.

Cheers
Bruce

[ccordes]

Great!
I added it too as a single access condition right after the User needs to login and errorpage name.
I will probably shift to yours when it gets released.

chris

[Mike Grigsby]

Along these lines, I can't find anything in the docs that say exactly what constitutes the user being logged in. What does that check box look for?

Also, I thought it might be something to do with: p_web.ValidateLogin() but I can't find any reference to how this is used either, except for example 7, but it doesn't say how it works.

[Bruce]

Mike,

Every user who connects to the server initiates a session. This session exists regardless of whether they are logged in or not.

Each session can be set as "logged in" or as "not logged in".
To change the setting for a session use
p_web.SetSessionLLoggedIn(true) or
p_web.SetSessionLLoggedIn(false)

there is an alternative method
p_web.ValidateLogin() which is eactly the same as
p_web.SetSessionLLoggedIn(true)

When the template has the option "user must be logged in" then it adds a line of code

  If p_web.GetSessionLoggedIn() = 0
    Return
  End

thus preventing the procedure from running.
Depending on the situation the login screen may be displayed automatically.

Cheers
Bruce