For some reason when I access any event in the poll controller (such as poll/list or poll/details) I am not blocked even tho I’m not in the correct role. Is there something more I have to do to make the security roles work?
If you do “preEventSecurity” this means that APART from doing security in the preProcess point, anytime events are fired internally, security will be checked also. This is very specific if you are trying to secure internal calls. If not, just eliminate this setting.
hmm… I removed the preEventSecurity setting and fwreinit the app but I’m still able to access poll/list and poll/details and poll/doSave even tho I’m not in the correct role. An unauthorized user should only be able to access poll/doVote.
Basically we want to secure all poll events except doVote. The only users that should be able to acces the other events must first be in the pollAdmin role.
I thought the security interceptor automatically checks to see if the cflogin roles variable contains the string in the roles setting of the security.xml.cfm file and then behaves according to the whitelist and securelist?
It does, so that is why I said, maybe turn on debuging on the interceptor to see what roles it detects. Maybe that is the case, that the login is not worrking correctly.
But yes, it tries to see if the event is in the whitelist regex, if not, then it tries to match it with the secure regex, and IF it matches, then it secures it.