If I am using the ColdBox Security Interceptor and XML
how do I lock down the dashboard handler say I want to give certain
users access to certain methods? Do I have create a rule for every
method?
There’s also a security sample app. Coupled with the docs its a great foundation.
- Gabriel
You can specifiy regular expressions for the secure list, or if not comfortable with regex, then with snippets.
However, regex is the prefered approach.
securelist = ^dashboard
That will match any event that starts with dashboard.
Luis
Ok I understand the regex
Securelist = ^dashboard
What if I just want to give user4 only access to dashboard.overview
And user5 access to everyhing
Do you see where I am going with this?
Do I have to create a rule for every event or can I secure the dashboard handler and give certain roles access to only some of the methods of the
Dashboard?
This is how I currently do it using roles. (disclaimer: I’m relatively new to all this).
I believe the rules are processed in order. So when dashboard.overview gets accessed, the first rule matches and says “Allow access for roles user4Role and user5Role”. If User4 and User5 have those roles, respectively, then they both can access it.
If any other event is accessed in the “dashboard” handler, then the second rules matches and says “Allow access for roles user5Role”. User5 would have access but User4 would not.
^dashboard\.overview user4Role,user5Role security/login ^dashboard.* user5Role security/login- Gabriel
That is what I am trying to avoid. Basicly the way my system works is that I create a client admin and let them create there own rules based on the event handler and I was trying to get the default security to work for.
What if I just want to give user4 only access to dashboard.overview
what is user4? a role, a permission, a name? How do you distinguish it?
There has to be a relationship between users and the secured events somehow. Remember that the basic rule setup allows for roles and/or permissions. However, you can extend it as you see fit.
I think you’re looking at a custom job but I think the security interceptor could help. The security interceptor has several ways to store the rules. XML is the default but there are other options including a database.
If you’re creating multiple client admins and each once can create their own rules, you could save the rules to a database and have the security interceptor pull them dynamically from the database. The work will be in sandboxing each client admin from the others.
- Gabriel