The security interceptor is pretty cool. I have my security module with my custom validator object and everything, but there is one thing that I miss.
I have a menu where I want to hide those links the logged in user has no access to.
The problem is that coldbox does not know if a user has access until the user clicks on that link and therefore calls the preProcess and preEvent methods in the security interceptor,
which will then investigate the event and build up the rules struct that gets passed on to my userValidator(struct rule,any messagebox, any controller) method.
So I would like a method like boolean function hasAccess(event=“someHandler/someAction”).
Calling the processRules method in the security interceptor will try to relocate the user and in this case I would not want that.
_isUserInValidState is private and takes in the rule we are validating which is unknown at that stage…
Is there an existing prescription to get this done, or will I need to write my own logic for this?
In my app, when a user logs in, I save the UserBean in the
SessionStorage. In mu UserBean I have a function hasPermission, which
looks a bit like this:
<cffunction name="hasPermission" output="false" access="public"
<cfargument name="permission" type="string" required="true" />
<cfset var permissions = this.getPermissionStruct() />
<cfset var i = '' />
<cfreturn true />
<cfreturn false />
The permission struct holds all permissons for a logged in user, and
the function just looks for a specific permission. In my code, I can
do <cfif user.hasPermission('edit_user')> for instance.
Hope that helps!
I pretty much do what Erik-Jan does. The only other thing I do is allow some users “god” access. If that key exists then I allow everything.
I have a similar concept, but I call it ‘Chuck Norris’ access
I concede. No way my God access can compete your your Chuck Norris action!