UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
 
   Reply to this topicStart new topic
> User Access, Access 2016    
 
   
OCM
post Jun 5 2018, 01:26 PM
Post#1



Posts: 154
Joined: 12-September 02
From: Eastern, USA


Hi,

We’ve a login form that was created by former employee. After noticing that one can access the DB by simply clicking login button (without entering username and password), I made some modification to prompt users enter username and password to access the DB, which seems to work partially.

I’ve attached a document to show the test result and the area I still need to modify.

Below is part of the code used for on click event of Login and Cancel buttons. Please let me know if I need to post additional code

CODE
Private Sub cmdLOGIN_Click()

'Check to see if data is entered into the UserName combo box
    If IsNull(Me.txtUserNm) Or Me.txtUserNm = "" Then
      MsgBox "You must enter a User Name.", vbOKOnly, "Required Data"
      Me.txtUserNm.SetFocus
        Exit Sub
    End If

    'Check to see if data is entered into the password box

    If IsNull(Me.txtPWD) Or Me.txtPWD = "" Then
      MsgBox "You must enter a Password.", vbOKOnly, "Required Data"
        Me.txtPWD.SetFocus
        Exit Sub
    End If

'Enable certain options on the main menu screen depending on access level
  DoCmd.OpenForm "frmMainMenu"
  If Me.txtPWD Like "SU*" Then
        Forms!frmMainMenu!optMaintenance.Enabled = False
    Else
        If Me.txtPWD Like "US*" Then
            Forms!frmMainMenu!optReports.Enabled = False
            Forms!frmMainMenu!optSuspCase.Enabled = False
            Forms!frmMainMenu!optMaintenance.Enabled = False
        End If
    End If
    
    Me.Visible = False
    
End Sub


Private Sub cmdClose_Click()
'Close The Login and Close Database Once Cancel It Clicked
On Error GoTo err_cmdClose_Click

DoCmd.Quit

Exit_cmdClose_Click:
Exit Sub

err_cmdClose_Click:
MsgBox Err.Description
Resume Exit_cmdClose_Click

End Sub

TIA

Regards,
Go to the top of the page
 
cheekybuddha
post Jun 5 2018, 01:36 PM
Post#2


UtterAccess VIP
Posts: 10,465
Joined: 6-December 03
From: Telegraph Hill


Where do you test whether you have a valid username/password combination?
Go to the top of the page
 
OCM
post Jun 5 2018, 01:57 PM
Post#3



Posts: 154
Joined: 12-September 02
From: Eastern, USA


Thanks David,

Are you asking the code? If so, let me know what event and I’ll post the code?

TIA
Regards,
Go to the top of the page
 
GroverParkGeorge
post Jun 5 2018, 02:43 PM
Post#4


UA Admin
Posts: 33,794
Joined: 20-June 02
From: Newcastle, WA


PMFJI:

It looks like any old string of characters works here. And anyone who uses a pwd starting with the two letters US doesn't get to use certain features. So if I use, for example, SS123 as the password, I validate with your code AND I also get to use the buttons for maintenance, etc.

Is that really what you hope to accomplish?
Go to the top of the page
 
nvogel
post Jun 5 2018, 03:02 PM
Post#5



Posts: 869
Joined: 26-January 14
From: London, UK


It's a very bad idea to do this in your application. Use Windows security, use a secure DBMS but don't try to put up this kind of security facade when in reality you aren't securing anything that way.
Go to the top of the page
 
kfield7
post Jun 6 2018, 07:48 AM
Post#6



Posts: 892
Joined: 12-November 03
From: Iowa Lot


I think (hope) were not seeing the whole picture here.

It appears certain types of users can, and certain types of users cannot, use these forms, based on the construct of the password (normally this would be applied to a user name or domain - passwords should be set by the user).
That is of itself is not necessarily bad, but this routine by itself does not prevent unauthorized users from the system, so I do hope that's done elsewhere, as David is inquiring.

Unless, of course, there are no trust issues whatsoever among any potential users, and this screening is only for convenience.

One philosophy is that passwords are like door locks. They only keep honest people out of the house.
This post has been edited by kfield7: Jun 6 2018, 07:50 AM
Go to the top of the page
 
OCM
post Jun 7 2018, 10:27 AM
Post#7



Posts: 154
Joined: 12-September 02
From: Eastern, USA


Go to the top of the page
 
OCM
post Jun 7 2018, 10:29 AM
Post#8



Posts: 154
Joined: 12-September 02
From: Eastern, USA


Thanks everyone for your feedback:
kfield7

QUOTE
It appears certain types of users can, and certain types of users cannot, use these forms, based on the construct of the password

Correct, based on the construct of the password, certain users can/cannot access certain forms.

QUOTE
(normally this would be applied to a user name or domain - passwords should be set by the user).

No, the password was set by the DB admin.

At this point, users cannot access the DB by simply clicking login button. What I'm trying to accomplish is the following:
1. if users attempted to click login (without entering credentials) 3 times, I would like a message "please contact your admin..." and exit the DB
2. When users enter a valid username, but wrong password the login button will grey out (after the first try)
a. I would like the login button to be available
b. allow users 3 chances to enter correct password, otherwise, exit DB.

3. Avoid getting run-time error, instead exit the DB. Right now, If I leave username blank, and enter a wrong password, I get Run-time error 2021 and when I click "End" it allows me to access the DB.

TIA

Regards,
Go to the top of the page
 
kfield7
post Jun 7 2018, 03:14 PM
Post#9



Posts: 892
Joined: 12-November 03
From: Iowa Lot


I think I get it, you're basically using the password as a user group.
Go to the top of the page
 
OCM
post Jun 8 2018, 07:49 AM
Post#10



Posts: 154
Joined: 12-September 02
From: Eastern, USA


Yes, you got it. I'm not sure this is the best way to go, but that's how the former employee set it up.

TIA

Regards,
Go to the top of the page
 
GroverParkGeorge
post Jun 8 2018, 09:41 AM
Post#11


UA Admin
Posts: 33,794
Joined: 20-June 02
From: Newcastle, WA


If it hasn't already been said, what you are attempting to implement, or should we say, enhance, here, is the equivalent of a reader board at the entrance to an office building. It tells you which office to go to for different services, but there's no real attempt to enforce a choice, if you decide to go to the wrong office. Given that, I'd probably rethink this a bit, and instead of parsing out different elements from a class of similar passwords, I'd have a table in which various groups (admin, power user, user, or whatever) are defined. Indicate which people are in which group by setting up another table of users in groups. Then, just use that to gently nudge people towards their appropriate set of forms. Keep it as simple as possible with as little coding as possible. It's just not worth the hassle given the lack of real security underlying the whole thing.
Go to the top of the page
 
OCM
post Jun 8 2018, 03:37 PM
Post#12



Posts: 154
Joined: 12-September 02
From: Eastern, USA


Thanks, I agree completely, this is the way to go. In the meantime, I played around with the syntax to get it work partially. is it possible to modify the attached syntax so that if users enter username wrong user name 3 times prompt then to contact administrator and exit the db? The same for password.

CODE
Private Sub cmdClose_Click()
'Close The Login and Close Database Once Cancel It Clicked
On Error GoTo err_cmdClose_Click

DoCmd.Quit

Exit_cmdClose_Click:
    Exit Sub
    
err_cmdClose_Click:
    MsgBox Err.Description
    Resume Exit_cmdClose_Click
    
End Sub

Private Sub cmdLOGIN_Click()

''Check to see if data is entered into the UserName and password box
    If IsNull(Me.txtUserNm) Then
      MsgBox "Please enter UserName", vbOKOnly, "Required Data"
      Me.txtUserNm.SetFocus
      
   ElseIf IsNull(Me.txtPWD) Then
   MsgBox "Please enter Password", vbOKOnly, "Required Data"
        Me.txtPWD.SetFocus
      Else
  'Check to see if data entered into the UserName and Password box matches to tblLOGIN
  If (IsNull(DLookup("USERNM", "tblLOGIN", "USERNM = '" & Me.txtUserNm.Value & "' And PWD = '" & Me.txtPWD.Value & "'"))) Then
   MsgBox "Invalid Username or Password!"
  
      Exit Sub
'Else
MsgBox "Password Is Invalid - Try Again!", vbCritical + vbOKOnly, "INVALID PASSWORD"
Me.txtInvalidPW = "Y"
Me.txtAttempts = Me.txtAttempts + 1
If Me.txtAttempts = 3 Then
MsgBox "Check Password And Try Again" & vbCrLf & "       GOOD-BYE", vbCritical + vbOKOnly, "TRY AGAIN LATER"
        
DoCmd.Quit
      
Else
Me.txtPWD.SetFocus
Me.cmdLOGIN.Enabled = False
Me.cmdLOGIN.Enabled = True
End If



CODE
Private Sub txtUserNm_BeforeUpdate(Cancel As Integer)
'Check To See If User Are Valid. Look Into The Table To Get User Status

  Dim strStatus As String
  Dim strSQL    As String
  Dim db        As DAO.Database
  Dim rstStatus As DAO.Recordset
  Set db = OpenDatabase("path")
  Set rstStatus = db.OpenRecordset("tblLOGIN", dbOpenTable)
  rstStatus.Index = "USERNM"
  rstStatus.Seek "=", Me.txtUserNm
  
  If rstStatus.NoMatch Then  '*** User Name not found! ***
  MsgBox " Invalid User Name - Try Again!", vbCritical + vbOKOnly, "INVALID USER NAME"
  Me.txtValidUser = "N"
  Me.txtAttempts = Me.txtAttempts + 1

If Me.txtAttempts = 3 Then
  MsgBox "Check User Name And Try Again" & vbCrLf & "       GOOD-BYE", vbCritical + vbOKOnly, "TRY AGAIN LATER"
        DoCmd.Quit
           Else
        ' Me.cmdLOGIN.Enabled = False
        Me.cmdLOGIN.Enabled = True
    End If
      
  End If
  
    rstStatus.Close  '*** Clean Up ***
End Sub


TIA

Regards,
Go to the top of the page
 


Custom Search
RSSSearch   Top   Lo-Fi    22nd October 2018 - 09:23 AM