Cbsecurity problem

Communities ColdBox HMVC
1

Im using cbSecurity with my own validator object and don’t get the results i expect when adding a second rule. The ADMIN rule works with no issue, but when i add the USER rule and login with an account which has the USER role, I’m not getting the access to the events i have defined in the USER rule. So I must obviously be doing something wrong. Here is what I’m trying to accomplish:

Admin - has access to all events within the handlers in the Admin folder
User - has limited access to certain events in the User handler within the admin folder. These are:

  • admin.user.userEditor
  • admin.user.save
  • admin.user.changepassword
  • admin.user.savePassword.
    Now I can easily go into each handler in admin and check the role and redirect the user from there if they don’t have access, but that kind of defeats the purpose of using cbsecurity!

Here are the rules i have as they are currently defined. Any assistance is greatly appreciated!

`

security\..*,main\..* dashboardUser\..*,dashboard\..*,User\..*,Role\..*,Content\..*,stateProvince\..*,menu\..* event admin security.login false security\..*,main\..* dashboardUser\..*,User\.index,User\.remove,Role\..*,Content\..*,stateProvince\..*,menu\..* event User security.login false

`

2

The problem might be that you are matching the rules. Therefore the first security match sends it to the validator and if not valid then redirects.

Turn on the logging level for cbsecurity so you can see more information. YOu can do something like this in your coldbox.cfc in the logbox section:

debug = [ “cbsecurity” ]

That will turn on debugging for the module and can see all the information about the rule processing.

3

I have the logbox working using this configuration:

`

//LogBox DSL
logBox = {
// Define Appenders
appenders = {
coldboxTracer = { class=“coldbox.system.logging.appenders.ConsoleAppender” },
MyAsycFile = {
class=“coldbox.system.logging.appenders.RollingFileAppender”,
properties={
filePath=expandPath("/coldbox/system/log/tmp"),autoExpand=false,fileMaxArchives=1,fileMaxSize=3000
}
}
},
// Root Logger
root = { levelmax=“INFO”, appenders="*" },
// Implicit Level Categories
info = [ “coldbox.system” ],
debug = [ “cbsecurity” ]
};

`

4

it seems like its only validating against one security rule. Here are the events in the log:

`

“DEBUG”,“MYASYCFILE”,“09/27/2016”,“06:27:25”,“cbsecurity.interceptors.Security”,"‘security.doLogin’ found in whitelist: security…,main…"
“DEBUG”,“MYASYCFILE”,“09/27/2016”,“06:27:25”,“cbsecurity.interceptors.Security”,"‘security.doLogin’ found in whitelist: security…,main…, user.editor,user.save,user.changePassword,user.savePassword,admin.dashboardUser.index"
“DEBUG”,“MYASYCFILE”,“09/27/2016”,“06:27:25”,“cbsecurity.interceptors.Security”,"User did not validate security for secured match target=admin.dashboardUser.index. Rule: {MATCH={event}, PERMISSIONS={}, SECURITYRULEID={1}, WHITELIST={security…,main…

}, SECURELIST={dashboardUser…,dashboard…,User…,Role…,Content…,stateProvince…,menu…*

}, USESSL={0}, ROLES={Admin}, REDIRECT={security.login}}"
“DEBUG”,“MYASYCFILE”,“09/27/2016”,“06:27:25”,“cbsecurity.interceptors.Security”,"‘security.login’ found in whitelist: security…,main…"
“DEBUG”,“MYASYCFILE”,“09/27/2016”,“06:27:25”,“cbsecurity.interceptors.Security”,"‘security.login’ found in whitelist: security…,main…, user.editor,user.save,user.changePassword,user.savePassword,admin.dashboardUser.index"

`

Note that i only see an entry in the log for security rule id 1 which is the ADMIN rule, I don’t see an entry for rule id 2 which is the USER rule. Any help is appreciated!

5

I think the issue is that Your event is matching on rule 1 thus doing what it is supposed to do.

The condition for matching is the event not the role or permissions

Luis Majano
CEO
Ortus Solutions, Corp
www.ortussolutions.com
P/F: 1-888-557-8057

6

I figured the same thing, so How should I construct the security rules to achieve the following:

Admin - has access to all events within the handlers in the Admin folder
User - has limited access to certain events in the User handler within the admin folder. These are:

  • admin.user.userEditor
  • admin.user.save
  • admin.user.changepassword
  • admin.user.savePassword.
7

I would put the more specific rules first. But also add the two roles in
there as well.

8

I did as you instructed, put the most restricted rules first, and added both the Admin Role and User Role to that rule, then modified the admin rule to allow access to all events within the handlers in the Admin folder and it works now! Thanks so much!!!