The `hasPermission` method gets that string and you handle i

Question

The `hasPermission` method gets that string and you handle it however you d like to return true or false

danmurphy · Answer

Ah the `hasPermission ` from the User model then Ok cool

danmurphy · Answer

Ok we are doing some refactoring and I see what was wrong now Thanks Related question is there a best way to set the User s permissions I see the examples of the `hasPermission ` function where variables permissions on the user object are just being checked against the passed in permissions But is there a preferred favorite method to getting the permissions there via the UserService after finding the User just a helper method in the User object some combo of functions etc

wil-shiftinsert · Answer

roles vs permissions is a bit confusing in cbsecurity There are two main default validators CFAuth and CBAuth If you are using RULES instead of annotations there is very important difference CFAUTH is using roles based on coldfusion security model in your rules ```struct function ruleValidator required rule required controller return validateSecurity arguments rule roles ``` and cbAuth is using permissions so there you should specify permissions in your rules ```struct function ruleValidator required rule required controller return validateSecurity arguments rule permissions ``` For annotation based security both validators behave the same ```struct function annotationValidator required securedValue required controller return validateSecurity arguments securedValue ``` So no difference here on annotations I wrote quite a few blog posts on cbsecurity which might be helpful <https shiftinsert nl tag cbsecurity > In many of my projects I am using users which have ROLES And each role has PERMISSIONS so if I need a finegrained security system I implement the hasPermission user on the User model by trying to find the requested permission on each assigned user role

wil-shiftinsert · Answer

and beware `hasPermission required permission ` the required permission can be A LIST of permissions so if you annotate with `secure= somePermission otherPermission ` you have to check ALL permissions until you find one which is assigned to the user e g ```result = argument permission some perm = gt return listFindNocase getUserLevelPermissions perm ``` Last remark rule validation is absolutely more flexible although annotation validation is simple and often sufficient I use them both in different projects

danmurphy · Answer

Thanks For us Users have roles and Roles have Permissions and we check everything based on permissions The handler annotation stuff is nice because it is right there on the handler instead of having to validate against rules somewhere else but that s just preference Just trying to now determine where the best place to get the permissions is It looks like we are currently setting roles and permissions after validating and retrieving the User in the `retrieveUserByUsername ` method in the `UserService` but that seems like it might be weird

wil-shiftinsert · Answer

We store the roles in the user object ad have a rolehaspermission method in a separate roleservice The number of roles and permissions is relatively small so we cache them all In our usermethod we loop through all roles and check permission and exit when found

danmurphy · Answer

I feel like I want 10 different examples from 10 different apps from 10 different authors to see what I like and don t like about the approaches smile

wil-shiftinsert · Answer

Well even in different projects we use different approaches Just see what you like most but just make sure retrieving your user on every request remains fast That s why we cache all roles