Issues with Handler Annotations Using AuthValidator in CBSecurity


I’m currently facing a challenge with the AuthValidator and handler annotations in my CBSecurity setup, particularly around the use of secured="keyword" annotations. I am finding that the keyword used in secured="keyword" is being passed to hasPermission() method, which seems to cause unintended behavior.


  • ColdBox Version: “^7.0.0”
  • CBSecurity Module Version: “^3.4.2+4”
  • cfengine":“adobe@2021”

When I use a handler annotation like secured="admin" , it’s supposed to check if the current user has the “admin” role. However, it appears that the same “admin” string is also being passed to the permission check. Since my roles and permissions are distinct (i.e., they do not overlap in naming), this results in the request always being blocked unless both the roles array and permissions array contain the keyword “admin.”

function admin ( event, rc, prc ) secured="admin"{
	event.setView( "Dashboard/admin" );

It works as intended when I set the rules in config/coldbox.cfc however I’m struggling with annotations.

Is there a recommended approach to ensure that secured="keyword" only checks roles or permissions specifically? Is there a better ways to set annotations on my handlers or handler/actions?

Thank you very much for your help!


I figured out that ‘securedValue’ is set to ‘permissions’ and is being passed when calling the ‘validateSecurity’ method, hence the confusion. I’ll try to write a custom validator to fit my needs.