[ColdBox 3.8.0] Security: allow admin to manage all record and users only their own record

In a coldbox app I have a protected area where users can edit/delete/modify record. I have two roles admin and user. With the security interceptor I have created my rules to allow/disallow access to my handlers. However I would like to let admin editing all records, but users should edit only their own record.

To solve this problem I have created a prehandler where I check which role is trying to edit the record, and if it’s user and the record he try to edit is not his own I redirect to an error page. Is this a good way to accomplish this?

Or is there a better solution?

That sounds good as well.

Yuo can also add extend the rules by adding your own elements to it. You can then get these elements of the rule if you create your own securiy validator object. This way you could centralize it.

For example, you can add to the rule something like:

{ secureList:“xxxx”, roles:“xxx”, permissions:“xxx”, selfEdit=“true” }

Many thanks Luis!!!