The declarative file can be stored off the web root to prevent hacking, although I don't see that knowing that "admin" has permission to access the "user" circuit (for example) is much of a security risk. I think, though, that you could also put these definitions in a database.
-----Original Message----- From: Michael Porter [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 6:36 PM To: [EMAIL PROTECTED] Subject: RE: FuseQ and Security that makes sense. right now I store the security in the database and read it in to a structure for comparison. What are the possibilities that someone could read the file and spoof the variables and get to areas they should not? this intrigues me as I have built a security module and am always looking for ways to improve it. At 06:21 PM 5/20/2002 -0400, you wrote: >Michael, > >All the file does is declare what security roles are required for >circuit access and/or fuseaction access where you wish to apply >security. The actual assignment of roles and checking for permissions >is done in code. > >-----Original Message----- >From: Michael Porter [mailto:[EMAIL PROTECTED]] >Sent: Monday, May 20, 2002 6:14 PM >To: [EMAIL PROTECTED] >Subject: RE: FuseQ and Security > > >why would you put security in a file? could someone not just download >the INI and read what you got? I know you can "hide" this and use >CFcontent to >read it but not all shared hosting allows for CFcfcontent and some the >root >FTP is the Root web so you do not have a sub folder to read from. > >Just something to think about. > >At 03:06 PM 5/20/2002 -0500, you wrote: > > >Hal has been playing around with a security scheme that makes use of > >a single .ini file, but I am not sure if this was a left over hook > >for it >or > >if it is something else. I don't believe the core file is limited to > >windows - besides, why would a FuseBox core file need to see the > >windows system.ini file? > > > >Hal, have you had a chance to finish the security scheme you were > >talking about a couple of weeks ago? > > > >-- Jeff > > > > > >-----Original Message----- > >From: Timothy Heald [mailto:[EMAIL PROTECTED]] > >Sent: Monday, May 20, 2002 2:58 PM > >To: [EMAIL PROTECTED] > >Subject: RE: FuseQ and Security > > > > > >Question, > > Is the system.ini this refers to the one in the winnt folder > >on Windows > >2000? If it is are these core files Windows only? I am just >wondering, I > >have downloaded both the extension core files but not found the time > >to >play > >with them yet, but WIN only stuff I cannot use, we run on Solaris 8. > > > >Tim Heald > >ACP/CCFD :) > >Application Development > >www.schoollink.net > > > > > -----Original Message----- > > > From: Marlon Moyer [mailto:[EMAIL PROTECTED]] > > > Sent: Monday, May 20, 2002 3:46 PM > > > To: [EMAIL PROTECTED] > > > Subject: FuseQ and Security > > > > > > > > > I was looking over the FuseQ core file and noticed a UDF called > > > isPermitted(). This function uses the file System.ini, but I > > > cannot > > > > find the format for creating this file. > > > > > > Marlon > > > ' > > > > > > > > > > >end >*********************************************************** >You can have it good >You can have it cheap >You can have it quick >Pick two > >- Sign in a studio I worked in once. >*********************************************************** >Michael "Maxx" Porter >Advanced Macromedia ColdFusion 5.0 Certified Developer > >mailto:[EMAIL PROTECTED] > end *********************************************************** You can have it good You can have it cheap You can have it quick Pick two - Sign in a studio I worked in once. *********************************************************** Michael "Maxx" Porter Advanced Macromedia ColdFusion 5.0 Certified Developer mailto:[EMAIL PROTECTED] ==^================================================================ This email was sent to: [email protected] EASY UNSUBSCRIBE click here: http://topica.com/u/?bUrFMa.bV0Kx9 Or send an email to: [EMAIL PROTECTED] T O P I C A -- Register now to manage your mail! http://www.topica.com/partner/tag02/register ==^================================================================
