I have a few questions regarding the Security Interceptor especially in relation to 2.6.2
First, it seems like there is a lot of overlap between the different rulesSource options. For example if you create a custom CFC using the settings for ColdBox Model Caching aren’t you then using Model, IOC and OCM? I’d like to use Model and assume it means that I will be able to use ColdBox Model Caching to manage the dependency injection. Would that be a correct assumption?
Second, I assume that any inline checks you will need (for example whether or not to show a button) would be directly accessed in the handler by calling the validator service that you are using, instead of through the interceptor. Am I correct in that assumption?
the rules source are different. When I mean Model, I mean, that the rules will come from a Model object’s method.
When it is IOC, it means that it comes from the IOC plugin using a name and method.
When it is OCM, it means that the query of security rules have been cached by YOU and all you need here is the key of the cache entry.
They all do the same, but offers you the flexibility to use the system of preference.
As for inline checks, this is up to you to decide how to validate permissions. I usually create a User object that has associated permissions with it. I basically then place the user object in the request collection in the request start handler so it is available EVERYWHERE. So I can do things like: