View Single Post
  #2 (permalink)  
Old September 6th, 2003, 04:36 AM
Imar's Avatar
Imar Imar is offline
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts

Hi Lucian,

It makes sense that customers can see orders from other customers as well in the current implementation. The Restrict Access to Page behavior that Dreamweaver uses does nothing more than see if a customer is logged in, or not. It doesn't distinguish between customers.

The fix, however, is easy. You should make the following changes:

1. On your login page, where you set Session("MM_Username"), also save the Customer ID in a Session variable:

   Session("MM_CustomerID") = ValueFromRecordset

You'll need to add the CustomerID column to the SQL statement so it is retrieved from the database as well.

2. Change the page where you can view the orders. You basically have two options:

  a) Redirect users when they try to view orders they are not allowed to see. I assume you have something like this to check the access:

If Session("MM_Username") <> "" Then
  If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
         (InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1) Then
    MM_grantAccess = true
  End If
End If
Add the following lines to that code block:

If (Session("MM_CustomerID") <> Request.QueryString("CustomerID")) Then
    ' A request is made for orders that do no belong to the current customer
    MM_grantAccess = false
End If
This will disallow access to the page when the requested CusomerID does not match the current CustomerID.

  b) Change your SQL statement so it queries just the orders for the current customer:
rsCustomerOrdersOrdersDetails.Source = "SELECT OrderID, OrderDate, SubTotal,
ShippingCost, GrandTotal, OrderStatus, CustomerID, LastName, 
FirstName, CustomerEmail, BillingAddress, BillingCity, 
BillingStateOrProvince, BillingPostalCode, BillingCountry, 
BillingPhoneNumber  FROM dbo.CustomerOrdersOrdersDetails
WHERE CustomerEmail='" + Replace rsCustomerOrdersOrdersDetails__MMColParam, "'", "''") 
+ "' AND CustomerID = " & Session("MM_CustomerID")
This will limit the recordset to just the orders that belong to the current customer.

If you have any questions, feel free to ask.



Imar Spaanjaars
Everyone is unique, except for me.
Reply With Quote