Security/Permissions for Elements on a Page

Communities ColdBox HMVC
1

I’m working on setting up the security interceptor for a new app I’m developing and I am wondering: what is the best way to go about handling permissions for viewing certain elements on a page? For example, lets say I have a view that has a table displaying a list of records that users can view. Most users can just view them but some users are given a button for each row to let them delete/edit. Usually I’d just look at the session variables, determine if their level is great enough to display the buttons, then show the button or not. I’d like to encapsulate that better with this new app so that if we change the way we do security (a very likely possibility) I won’t have reference to session variables all over the place.

My understanding is that the security interceptor can only be used at the event level and so I won’t be able to use it to determine what page elements to display to a user. But, I could always have separate events and separate views for each type of user (which seems like overkill and way too much duplication). So how does everyone handle this?

2

I’d ask the user for their role or access level. Assuming you have a user object, in my view I’d do something like

<cfif user.isAdmin()>
view part for admins

Your code is then triggered by the “isAdmin()” function but the logic of what determines that exists in one place.

  • Gabriel
3

One thing that I have done is check the link and see if they have access to the event I am linking too before displaying. So in my security manager I have a checkEvent() method that reads my rules from the security interceptor and checks the event I pass in against them.

<cfif securityManager.checkEvent(‘user.edit’)>

#event.buildLink(‘user.edit’)#

Curt

4

I agree with Gabriels approach to this. Keep the logic inside the user object, with a isRole() and hasPermission() type methods.

Curts approach is also a very nice one. My approach is slightly different in that I don’t proxy requests through a service.

I have a custom Interceptor that I use, which loads the current user object at the start of the request into the request collection. I can then use this both within the controller and the view for various tasks.

I’m sure their are pros and cons to both.

Robert

5

I definitely like the idea for isRole/hasPermission type functions.

@Curt Is the code for your checkEvent method available somewhere to look at?

6

Well, it works like this…

I get the security interceptor in my securityManager…

<cfset variables.SecurityInterceptor = arguments.interceptorService.getInterceptor(“security”)>

Then my checkEvent uses it to get the rules, and I check the event pattern with regex.

//get the rules from the SecurityInterceptor that so there from cache

var rules = variables.SecurityInterceptor.getProperty(‘rules’);

var rulesLen = arrayLen(rules);

var i = 0;

for(i=1; i lte rulesLen; i=i+1){

if( isEventInPattern(currentEvent,rules[i].whitelist) ){

return true;

}

if( isEventInPattern(currentEvent,rules[i].securelist) ){

if( userValidator(rules[i],variables.messagebox,variables.controller) eq false ){

//clear the message box because we don’t want a message, just if they have access or not

variables.messagebox.clearMessage();

return false;

}

break;

}

}

return true;

<cfset var pattern = “”>

<cfif variables.SecurityInterceptor.getProperty(‘useRegex’)>

<cfif reFindNocase(trim(pattern),arguments.currentEvent)>

<cfelseif findNocase(trim(pattern),arguments.currentEvent)>

Hope that helps.

Curt Gratz

Computer Know How

7

Thanks!