With Magnus' help, I am now that I'm able to capture my users' intranet login ID when they submit a ticket by using an existing session variable and passing it to the TTX application. I do this by routing them through a restricted "menu" page with a hidden form that reads the session variable and passes it to the ttx.cgi page via URL. Now I need to make sure they don't access the newticket form directly, since the login ID doesn't get captured and passed that way.
The menu page uses Dreamweaver's "Restrict Access to Page" behavior:
<%@LANGUAGE="VBSCRIPT"%>
<%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers="ADMINISTRATOR,TL-ADMIN,MGR-DISP,MGR-OP,MGR-ACCT,TL-SP"
MM_authFailedURL="../../Security/no_access.asp"
MM_grantAccess=false
If Session("MM_Username") <> "" Then
If (false Or CStr(Session("MM_UserAuthorization"))="") Or _
(InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1) Then
MM_grantAccess = true
End If
End If
If Not MM_grantAccess Then
MM_qsChar = "?"
If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
MM_referrer = Request.ServerVariables("URL")
if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
Response.Redirect(MM_authFailedURL)
End If
%>
I would have liked to be able to restrict access to the newticket page as well, but to my knowledge, I can only protect ASP pages. Is there a workaround that anyone's aware of? Any way to modify newticket.html or ttx.cgi?
A larger problem is that a percentage of my users have bookmarked the ttx.cgi page and access it directly, thus bypassing my "menu" page and its hidden form. Consequently, their login ID is never passed to the application. Can anyone help me devise a way to keep them from accessing the page directly like this?
Thanks!
- Mark
