****   Security Enhancements for FSL 2.0 ****

Preventing Users from jumping modules:

	All header.cfm includes have been changed to cfmodules. A new attribute has been added to the         header.cfm module that checks for the client variable usr_acctmodlst for that attribute. If it is 	not found, indicating that the user is trying to view a module that they do not have access to. 	When this happens, the user will be directed to home/index.cfm page (default page after login).
	
Module call example:

<cfmodule template="../header.cfm" srchCtr="on" dispSrchFltrs="yes" useCstmSrchFltrs="no" ModID="38">

New Header.cfm code:

<cfparam name="attributes.ModID" default="0">
<cfif (ListFind(client.usr_acctmodlst,  "#attributes.ModID#" ,  ",") EQ 0) AND (right(cgi.SCRIPT_name,"15")        NEQ "/Home/index.cfm")>
    <cflocation url="../home/index.cfm" addtoken="No">
</cfif>



Preventing Users from access data that they do not own.

1.) All queries, when applicable, should contain #client.usr_acctpk# AND #client.usr_accttype# within the where clause. 
    Especially delete queries.

2.) Every page should a recordcount check for the main query that drives the page (except list.cfm)when a url.id is present.     This main query must have #client.usr_acctpk# AND #client.usr_accttype# in the where clause. If the user attempts to         manipulate the URL and changes the URL.ID to a value that is not owned by them, they will have a recordcount of 0. 
    When this is detected the user should be sent to the list.cfm page for the current module. This code will guarantee
    that they will not be to access other client data as well as it more difficult to crack the token algorithm.

 example:
	<cfif qmd_GetOperator.recordCount EQ 0>
		<cflocation url="list.cfm" addtoken="No">
	</cfif>



3.) Use tokens where applicable.