http://coldfusion.com logo
#box-products
Title
# box-products
e

elpete

03/22/2022, 6:53 PM
The
hasPermission
method gets that string and you handle it however you'd like to return true or false.
d

danmurphy

03/22/2022, 6:58 PM
Ah, the
hasPermission()
from the User model then. Ok, cool.
Ok, we are doing some refactoring and I see what was wrong now. Thanks. Related question - is there a “best” way to set the User’s permissions? I see the examples of the
hasPermission()
function where variables.permissions on the user object are just being checked against the passed in permissions. But is there a preferred/favorite method to getting the permissions there? (via the UserService after finding the User, just a helper method in the User object, some combo of functions, etc)
w

wil-shiftinsert

03/22/2022, 7:31 PM
roles vs permissions is a bit confusing in cbsecurity. There are two main default validators, CFAuth and CBAuth. If you are using RULES instead of annotations there is very important difference. CFAUTH is using roles ( based on coldfusion security model) in your rules
Copy code
struct function ruleValidator( required rule, required controller ){
        return validateSecurity( arguments.rule.roles );
}
and cbAuth is using permissions, so there you should specify permissions in your rules
Copy code
struct function ruleValidator( required rule, required controller ){
        return validateSecurity( arguments.rule.permissions );
    }
For annotation based security both validators behave the same
Copy code
struct function annotationValidator( required securedValue, required controller ){
        return validateSecurity( arguments.securedValue );
    }
So no difference here on annotations. I wrote quite a few blog posts on cbsecurity, which might be helpful. https://shiftinsert.nl/tag/cbsecurity/ In many of my projects I am using users which have ROLES. And each role has PERMISSIONS, so if I need a finegrained security system I implement the hasPermission user on the User model by trying to find the requested permission on each assigned user role.
and beware:
hasPermission( required permission )
the required permission can be A LIST of permissions, so if you annotate with
secure="somePermission,otherPermission"
you have to check ALL permissions until you find one which is assigned to the user, e.g.
Copy code
result = argument.permission.some( (perm )=> {
                return listFindNocase( getUserLevelPermissions(), perm )
} )
Last remark: rule validation is absolutely more flexible (although annotation validation is simple and often sufficient). I use them both in different projects.
d

danmurphy

03/22/2022, 7:49 PM
Thanks! For us, Users have roles and Roles have Permissions and we check everything based on permissions. The handler annotation stuff is nice because it is right there on the handler instead of having to validate against rules somewhere else, but that’s just preference. Just trying to now determine where the best place to get the permissions is. It looks like we are currently setting roles and permissions after validating and retrieving the User in the
retrieveUserByUsername()
method in the
UserService
but that seems like it might be weird?
w

wil-shiftinsert

03/22/2022, 7:58 PM
We store the roles in the user object ad have a rolehaspermission method in a separate roleservice The number of roles and permissions is relatively small so we cache them all In our usermethod we loop through all roles and check permission and exit when found
d

danmurphy

03/22/2022, 8:03 PM
I feel like I want 10 different examples from 10 different apps from 10 different authors to see what I like and don’t like about the approaches. 😄
w

wil-shiftinsert

03/22/2022, 8:07 PM
Well even in different projects we use different approaches. Just see what you like most, but just make sure retrieving your user on every request remains fast. That's why we cache all roles