elpete
03/22/2022, 6:53 PMhasPermission
method gets that string and you handle it however you'd like to return true or false.danmurphy
03/22/2022, 6:58 PMhasPermission()
from the User model then. Ok, cool.hasPermission()
function where variables.permissions on the user object are just being checked against the passed in permissions. But is there a preferred/favorite method to getting the permissions there? (via the UserService after finding the User, just a helper method in the User object, some combo of functions, etc)wil-shiftinsert
03/22/2022, 7:31 PMstruct function ruleValidator( required rule, required controller ){
return validateSecurity( arguments.rule.roles );
}
and cbAuth is using permissions, so there you should specify permissions in your rules
struct function ruleValidator( required rule, required controller ){
return validateSecurity( arguments.rule.permissions );
}
For annotation based security both validators behave the same
struct function annotationValidator( required securedValue, required controller ){
return validateSecurity( arguments.securedValue );
}
So no difference here on annotations.
I wrote quite a few blog posts on cbsecurity, which might be helpful.
https://shiftinsert.nl/tag/cbsecurity/
In many of my projects I am using users which have ROLES. And each role has PERMISSIONS, so if I need a finegrained security system I implement the hasPermission user on the User model by trying to find the requested permission on each assigned user role.hasPermission( required permission )
the required permission can be A LIST of permissions, so if you annotate with secure="somePermission,otherPermission"
you have to check ALL permissions until you find one which is assigned to the user, e.g.
result = argument.permission.some( (perm )=> {
return listFindNocase( getUserLevelPermissions(), perm )
} )
Last remark: rule validation is absolutely more flexible (although annotation validation is simple and often sufficient). I use them both in different projects.danmurphy
03/22/2022, 7:49 PMretrieveUserByUsername()
method in the UserService
but that seems like it might be weird?wil-shiftinsert
03/22/2022, 7:58 PMdanmurphy
03/22/2022, 8:03 PMwil-shiftinsert
03/22/2022, 8:07 PM