[ColdBox 3.8.0] Security: allow admin to manage all record and users only their own record

Francesco · March 4, 2014, 4:47pm

In a coldbox app I have a protected area where users can edit/delete/modify record. I have two roles admin and user. With the security interceptor I have created my rules to allow/disallow access to my handlers. However I would like to let admin editing all records, but users should edit only their own record.

To solve this problem I have created a prehandler where I check which role is trying to edit the record, and if it’s user and the record he try to edit is not his own I redirect to an error page. Is this a good way to accomplish this?

Or is there a better solution?

lmajano · March 4, 2014, 5:26pm

That sounds good as well.

Yuo can also add extend the rules by adding your own elements to it. You can then get these elements of the rule if you create your own securiy validator object. This way you could centralize it.

For example, you can add to the rule something like:

{ secureList:“xxxx”, roles:“xxx”, permissions:“xxx”, selfEdit=“true” }

Francesco · March 4, 2014, 6:50pm

Many thanks Luis!!!

[ColdBox 3.8.0] Security: allow admin to manage all record and users only their own record

Latest Ortus News

GIVING BACK

HARVESTING IN SPANISH

WOODSEDGE