Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
user control - permissions - roles
Author: Sandy Clark
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164073
<http://www.houseoffusion.com/banners/view.cfm?bannerid=34>;
I tend to use
a lock and key approach. 3 tables. Items are locked and a user must have
the appropriate key to use the system.
Profile
privileges
profile_privileges
Profile has profile_id and name in it
Privileges is usually a privilege name and id
profile_privileges then has priv_id, profile_id (many to many table).
Each user is assigned a profile. Many users may belong to the same group.
Privileges are associated with a profile.
I have a custom tag/udf called validate_permission which simply checks that
the profile id has the privilege id which is associated with a particular
name. if validate(permission, profile_id, priv_name) is true.
Since I do use Fusebox, I've actually written an entire security system
around it which allows using the <fuseaction permission /> attribute to
secure circuits or fuseactions to specific privileges. I can alsouse the
udf internally in scripts to secure specific lines of code.
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164065
[Original message]<<<<I would recommend using permission objects-base
framework over
roles-based. Problem with relying on roles is that when you need to allow
another role to insert or update, you have to go through the templates
where inserts or updates are referenced and change the code. Very
inflexible. But if you're using permision objects-based model, you assign
that object id to any number of roles, and if the loggin user has the role
which contains that ID, then access is granted.
You can write a udf that could do something like this.
<cfif isAllowed("update user record")>
show update link here
</cfif>>>>>
Nick, I’m trying to understand how this would appear in practice. Does
this mean you’d have a table of authority levels or groups, a table of
things they could do, and a many-many table linking them together? In
which case a user would have a record in the user table, a number of
records in the user-groups table linking the user to one or more groups?
Is this how it would be?:
Tbl_USERS (All user information)
Userid
Username
etc
Tbl_GROUPS (Group names)
GroupID
Groupname
Tbl_AUTHORITYLEVELS (Authority Levels)
AuthorityLevelID
Authorityname
Tbl_TASKS (The tasks different groups can perform)
TaskID
TaskName
Tbl_USERSGROUPS (allocates users to groups)
UserGroupID
UserID
GroupID
Tbl_GROUPAUTHORITIES (allocates authority levels to different groups)
GroupAuthorityID
GroupID
AuthoritylevelID
Tbl_TASKSAUTHORITIES (Allocates tasks to different authority levels)
TaskAuthorityID
TaskID
AuthorityLevelID
Cheers
Mike Kear
Windsor, NSW, Australia
AFP Webworks
http://afpwebworks.com
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164064
[Original message]<<<<I would recommend using permission objects-base
framework over
roles-based. Problem with relying on roles is that when you need to allow
another role to insert or update, you have to go through the templates where
inserts or updates are referenced and change the code. Very inflexible.
But if you're using permision objects-based model, you assign that object id
to any number of roles, and if the loggin user has the role which contains
that ID, then access is granted.
You can write a udf that could do something like this.
<cfif isAllowed("update user record")>
show update link here
</cfif>>>>>
Nick, I'm trying to understand how this would appear in practice. Does
this mean you'd have a table of authority levels or groups, a table of
things they could do, and a many-many table linking them together? In
which case a user would have a record in the user table, a number of
records in the user-groups table linking the user to one or more groups?
Is this how it would be?:
Tbl_USERS (All user information)
Userid
Username
etc
Tbl_GROUPS (Group names)
GroupID
Groupname
Tbl_AUTHORITYLEVELS (Authority Levels)
AuthorityLevelID
Authorityname
Tbl_TASKS (The tasks different groups can perform)
TaskID
TaskName
Tbl_USERSGROUPS (allocates users to groups)
UserGroupID
UserID
GroupID
Tbl_GROUPAUTHORITIES (allocates authority levels to different groups)
GroupAuthorityID
GroupID
AuthoritylevelID
Tbl_TASKSAUTHORITIES (Allocates tasks to different authority levels)
TaskAuthorityID
TaskID
AuthorityLevelID
Cheers
Mike Kear
Windsor, NSW, Australia
AFP Webworks
http://afpwebworks.com
Author: Jim
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164059
CT> i'm looking for any example how to create an user control with roles
CT> permissions... like Administrator is God, Managers could insert and
CT> change, SK8er Boy could only view certain aspects from appl....
Hal Helms has a good technique here:
http://halhelms.com/writings/ProposedSecurityModel.pdf
and some code here: http://www.halhelms.com/code/resources/secure.zip
I've used it when I was still on CF4.5 I've since migrated to MX but
haven't checked out CFLogin yet.
Jim
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164045
Using the ones in between the 10s would only be for a special case.
Other than that, you'd just have your basic 10 (0,10,20...90). You
don't have to give each user their own role. It depends on the app and
the needs. I just know that I've thought too small in the past and it
ended up coming back to bite me later. If your app only needs a couple
of roles, I don't understand what it is that you're asking for
suggestions for. That sounds quite easy and for you <cflogin> would
probably work with its associated functions.
John Burns
Thanx John
but using your suggestion maybe our code will become very hard to
maintain...
Look this:
<cfif UserRole is 34 OR UserRole is 56>
Click here to edit this record
</cfif>
<cfif UserRole is 67 OR UserRole is 81>
Click here to delete this record
</cfif>
Why you don't use Group Roles?
Thanx once more again
The body of your email message is over 100 lines. Unless you are a major
writer, your probably adding a lot of the previous replies. Please trim
your posts when replying. Thank you.
<cflogin> isn't flexible enough for me.
You have limited control over your querying of that data...only the
functions provided in CF. I do a user table, a role-name table and a
user-role table. The user table holds basic user info. The role-name
table holds info about the role (name, description, etc). The user-role
table ties the two together.
This allows the person to have multiple roles. Then, I just code in my
app that certain role-ids can do certain things. I've also done it
where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and
then if you need to create specific roles for certain sections of the
site, you can do it in between the existing roll numbers. Then you can
just check <cfif userRole GT 60> to see if the person is above 60 and if
so, that means they can do this certain thing, or you can check <cfif
userRole GT 90 or userRole EQ 43> to see if the user is an admin or if
they have a specific role to let them do this one thing.
John
Author: Nick Han
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164044
I would recommend using permission objects-base framework over roles-based.
Problem with relying on roles is that when you need to allow another role to
insert or update, you have to go through the templates where inserts or updates
are referenced and change the code. Very inflexible. But if you're using
permision objects-based model, you assign that object id to any number of roles,
and if the loggin user has the role which contains that ID, then access is
granted.
You can write a udf that could do something like this.
<cfif isAllowed("update user record")>
show update link here
</cfif>
Any user who has the security role that has this ID will pass the test. You can
revoke a permission right from a role by simply removing that object id from the
role.
Nick Han
>>> spectrum@post.com 05/21/04 12:18PM >>>
Hi all
i'm looking for any example how to create an user control with roles
permissions... like Administrator is God, Managers could insert and change, SK8er
Boy could only view certain aspects from appl....
Please do you have any example?
Thanx in advance.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Author: Spectrum WebDesign
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164042
Thanx John
but using your suggestion maybe our code will become very hard to maintain...
Look this:
<cfif UserRole is 34 OR UserRole is 56>
Click here to edit this record
</cfif>
<cfif UserRole is 67 OR UserRole is 81>
Click here to delete this record
</cfif>
Why you don't use Group Roles?
Thanx once more again
The body of your email message is over 100 lines. Unless you are a major
writer, your probably adding a lot of the previous replies. Please trim
your posts when replying. Thank you.
<cflogin> isn't flexible enough for me.
You have limited control over your querying of that data...only the
functions provided in CF. I do a user table, a role-name table and a
user-role table. The user table holds basic user info. The role-name
table holds info about the role (name, description, etc). The user-role
table ties the two together.
This allows the person to have multiple roles. Then, I just code in my
app that certain role-ids can do certain things. I've also done it
where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and
then if you need to create specific roles for certain sections of the
site, you can do it in between the existing roll numbers. Then you can
just check <cfif userRole GT 60> to see if the person is above 60 and if
so, that means they can do this certain thing, or you can check <cfif
userRole GT 90 or userRole EQ 43> to see if the user is an admin or if
they have a specific role to let them do this one thing.
John
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164039
The body of your email message is over 100 lines. Unless you are a major
writer, your probably adding a lot of the previous replies. Please trim
your posts when replying. Thank you.
<cflogin> isn't flexible enough for me.
You have limited control over your querying of that data...only the
functions provided in CF. I do a user table, a role-name table and a
user-role table. The user table holds basic user info. The role-name
table holds info about the role (name, description, etc). The user-role
table ties the two together.
This allows the person to have multiple roles. Then, I just code in my
app that certain role-ids can do certain things. I've also done it
where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and
then if you need to create specific roles for certain sections of the
site, you can do it in between the existing roll numbers. Then you can
just check <cfif userRole GT 60> to see if the person is above 60 and if
so, that means they can do this certain thing, or you can check <cfif
userRole GT 90 or userRole EQ 43> to see if the user is an admin or if
they have a specific role to let them do this one thing.
John
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164038
<cflogin> isn't flexible enough for me. You have limited control over
your querying of that data...only the functions provided in CF. I do a
user table, a role-name table and a user-role table. The user table
holds basic user info. The role-name table holds info about the role
(name, description, etc). The user-role table ties the two together.
This allows the person to have multiple roles. Then, I just code in my
app that certain role-ids can do certain things. I've also done it
where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and
then if you need to create specific roles for certain sections of the
site, you can do it in between the existing roll numbers. Then you can
just check <cfif userRole GT 60> to see if the person is above 60 and if
so, that means they can do this certain thing, or you can check <cfif
userRole GT 90 or userRole EQ 43> to see if the user is an admin or if
they have a specific role to let them do this one thing.
John
heck.
what am I thinking?
isnt there a isUserInRole() function in cf, that will check that kinda
stuff to?
to all list people: in your role based security applictions, how have
you done it?
with isUserInRole(), and cflogin, etc?
tw
its up to you, really.
I guess you could cfcase/cfswitch it, as well.
tw
Thanx good... great job... but the thousands cfif's still need?
Thanx for your time.
easiest way is in your usertable, where you store usernames/passwords,
have a roleId, and then when they login and you process the login
information, you can set a session variable, that is their roleId, and
then base some permissions around that value.
how?
you can cfif yourself to death,
<cfif session.roleId eq 1>
You are god
<cfelseif session.roleId eq 2>
Your are a demi-god
<cfelseif session.roleId eq 3>
You are a sk8r boy
<cfelseif session.roleId eq 0>
You are sysadmin
</cfif>
I always like to keep roleID 0 for "Omniscient Role" where you are not
only the top level, but you are something bigger, code changer, etc.
Then you can rollup permissions too....
<cfif session.roleId lte 1>
You are here, because you are a god or demi god
<cfelseif session.roleId lte 3>
You are here, because you are a demi-god, god, or peon
</cfif>
anyway, you get the point.
:) tony
Hi all
i'm looking for any example how to create an user control with roles
permissions... like Administrator is God, Managers could insert and
change, SK8er Boy could only view certain aspects from appl....
Please do you have any example?
Thanx in advance.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Author: Tony Weeg
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164037
heck.
what am I thinking?
isnt there a isUserInRole() function in cf, that will check that kinda stuff
to?
to all list people: in your role based security applictions, how have you
done it?
with isUserInRole(), and cflogin, etc?
tw
its up to you, really.
I guess you could cfcase/cfswitch it, as well.
tw
Thanx good... great job... but the thousands cfif's still need?
Thanx for your time.
easiest way is in your usertable, where you store
usernames/passwords, have a roleId, and then when
they login and you process the login information, you can
set a session variable, that is their roleId, and then base some permissions
around that value.
how?
you can cfif yourself to death,
<cfif session.roleId eq 1>
You are god
<cfelseif session.roleId eq 2>
Your are a demi-god
<cfelseif session.roleId eq 3>
You are a sk8r boy
<cfelseif session.roleId eq 0>
You are sysadmin
</cfif>
I always like to keep roleID 0 for "Omniscient Role" where you are not only
the top level, but you are something bigger, code changer, etc.
Then you can rollup permissions too....
<cfif session.roleId lte 1>
You are here, because you are a god or demi god
<cfelseif session.roleId lte 3>
You are here, because you are a demi-god, god, or peon
</cfif>
anyway, you get the point.
:) tony
Hi all
i'm looking for any example how to create an user control with roles
permissions... like Administrator is God, Managers could insert and change,
SK8er Boy could only view certain aspects from appl....
Please do you have any example?
Thanx in advance.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Author: Tony Weeg
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164036
its up to you, really.
I guess you could cfcase/cfswitch it, as well.
tw
Thanx good... great job... but the thousands cfif's still need?
Thanx for your time.
easiest way is in your usertable, where you store
usernames/passwords, have a roleId, and then when
they login and you process the login information, you can
set a session variable, that is their roleId, and then base some permissions
around that value.
how?
you can cfif yourself to death,
<cfif session.roleId eq 1>
You are god
<cfelseif session.roleId eq 2>
Your are a demi-god
<cfelseif session.roleId eq 3>
You are a sk8r boy
<cfelseif session.roleId eq 0>
You are sysadmin
</cfif>
I always like to keep roleID 0 for "Omniscient Role" where you are not only
the top level, but you are something bigger, code changer, etc.
Then you can rollup permissions too....
<cfif session.roleId lte 1>
You are here, because you are a god or demi god
<cfelseif session.roleId lte 3>
You are here, because you are a demi-god, god, or peon
</cfif>
anyway, you get the point.
:) tony
Hi all
i'm looking for any example how to create an user control with roles
permissions... like Administrator is God, Managers could insert and change,
SK8er Boy could only view certain aspects from appl....
Please do you have any example?
Thanx in advance.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Author: Spectrum WebDesign
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164035
Thanx good... great job... but the thousands cfif's still need?
Thanx for your time.
easiest way is in your usertable, where you store
usernames/passwords, have a roleId, and then when
they login and you process the login information, you can
set a session variable, that is their roleId, and then base some permissions
around that value.
how?
you can cfif yourself to death,
<cfif session.roleId eq 1>
You are god
<cfelseif session.roleId eq 2>
Your are a demi-god
<cfelseif session.roleId eq 3>
You are a sk8r boy
<cfelseif session.roleId eq 0>
You are sysadmin
</cfif>
I always like to keep roleID 0 for "Omniscient Role" where you are not only
the top level, but you are something bigger, code changer, etc.
Then you can rollup permissions too....
<cfif session.roleId lte 1>
You are here, because you are a god or demi god
<cfelseif session.roleId lte 3>
You are here, because you are a demi-god, god, or peon
</cfif>
anyway, you get the point.
:) tony
Hi all
i'm looking for any example how to create an user control with roles
permissions... like Administrator is God, Managers could insert and change,
SK8er Boy could only view certain aspects from appl....
Please do you have any example?
Thanx in advance.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Author: Tony Weeg
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164032
easiest way is in your usertable, where you store
usernames/passwords, have a roleId, and then when
they login and you process the login information, you can
set a session variable, that is their roleId, and then base some permissions
around that value.
how?
you can cfif yourself to death,
<cfif session.roleId eq 1>
You are god
<cfelseif session.roleId eq 2>
Your are a demi-god
<cfelseif session.roleId eq 3>
You are a sk8r boy
<cfelseif session.roleId eq 0>
You are sysadmin
</cfif>
I always like to keep roleID 0 for "Omniscient Role" where you are not only
the top level, but you are something bigger, code changer, etc.
Then you can rollup permissions too....
<cfif session.roleId lte 1>
You are here, because you are a god or demi god
<cfelseif session.roleId lte 3>
You are here, because you are a demi-god, god, or peon
</cfif>
anyway, you get the point.
:) tony
Hi all
i'm looking for any example how to create an user control with roles
permissions... like Administrator is God, Managers could insert and change,
SK8er Boy could only view certain aspects from appl....
Please do you have any example?
Thanx in advance.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Author: Spectrum WebDesign
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32699#164030
Hi all
i'm looking for any example how to create an user control with roles
permissions... like Administrator is God, Managers could insert and change, SK8er
Boy could only view certain aspects from appl....
Please do you have any example?
Thanx in advance.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
