I have been reading the cbsecurity documentation and plan to use it to secure an app I am developing. I want to start using annotations that are protected by authorization of roles. For example, user, moderator, and admin.
I understand that I can secure handlers by placing these roles accordingly in a list in my handler file:
component secured=“admin,user”{
…
}
Where do I declare these roles so that I might be able to use them in my rules and annotations?
Those are actually authorization contexts. As long as one passes, the user is considered authorized. How they are used depends on which Validator you are using.
The CFML Security Validator (aka cfauth) uses the roles passed in to it when you logged the user in via the tag/function.
The CBAuth Validator passes those contexts on to the instance of IAuthUser that is returned when logging in. There is a hasPermission function on that interface that will be passed each of the authorization contexts.
I did eventually figure this out: I made my user objects have a “permissions” property that got passed into the hasPermission function. I made it look like this:
boolean function hasPermission(required permission)
//Takes in a permission argument and returns true or false if the user is in possession of the specific permission
{
return listContains(variables.permissions,permission);
}
It worked out just fine then! Thanks for the additional information. Hopefully if someone comes across this post some day they’ll find what they need.