Permissions attribute in fusebox
Here is an overview of the permissions attribute and how you can use it within fusebox.
From: http://halhelms.com/index.cfm?fuseaction=newsletters.show&issue=052203_rolesBasedSecurity
<circuit access="public" permission="useQuizBuilder">Fusebox itself does not apply any security check, but does make the values set in these attributes available to the programmer. It then becomes a simple matter of a few lines of code to write any challenge code you wish. For example, we might write a plugin to ensure that to use any fuseaction in the circuit, the user must have the useQuizBuilder permission. If the user wants to delete a quiz, s/he can now be challenged for the deleteQuiz key. The rules for permission binding can be stored and gotten from database table(s), XML files, .ini files, through the use of web services, etc.
<fuseaction name="deleteQuiz" permission="deleteQuiz">
...
</fuseaction>
One needs to create a plug-in to check if the permission set (or permissions made available) are matched by the current user – thus (plugins/listCheckSecurity.cfm):
<!--- inheritFromCircuit and useCircuitTrace are optional booleans that control inheritance of permissions. The defaults are true (fuseaction inherits from circuit) and false (circuit does not inherit from parent) respectively. --->
<!--- get users roles (enter in required permissions to test. This would normally get the roles dynamically) --->
<cfset roles = "" />
<cfset f_permissions = myFusebox.getCurrentFuseaction().getPermissions(inheritFromCircuit,useCircuitTrace) />
<cfset c_permissions = myFusebox.getCurrentCircuit().getPermissions(inheritFromCircuit,useCircuitTrace) />
<cfif ListLen (f_permissions, ',' )>
<cfset plugin.isAllowed = FALSE >
<cfloop list= "#f_permissions#" index="aPermission" >
<cfif ListFindNoCase (roles, aPermission, ',' )>
<cfset plugin.isAllowed = TRUE >
<cfbreak>
</cfif>
</cfloop>
<cfelseif ListLen (c_permissions, ',' )>
<cfset plugin.isAllowed = FALSE >
<cfloop list= "#c_permissions#" index="aPermission" >
<cfif ListFindNoCase (roles, aPermission, ',' )>
<cfset plugin.isAllowed = TRUE >
<cfbreak>
</cfif>
</cfloop>
<cfelse>
<cfset plugin.isAllowed = TRUE >
</cfif>
<cfif NOT plugin.isAllowed >
<cfthrow
type= "fusebox.securityException"
message= "Permissions error"
detail= "The fuseaction <strong>#myFusebox.thisFuseaction#</strong> in circuit <strong>#myFusebox.thisCircuit#</strong> requires certain permissions (#f_permissions# / #c_permissions#) which you do not possess."
/>
</cfif>
If a security exception is found this will throw an error. Fusebox itself will pick up this error up if you add the following to fusebox.xml :
< phase name="processError ">
< plugin name="securityException " />
</ phase>
<!--- get users roles (enter in required permissions to test. This would normally get the roles dynamically) --->
<cfset roles = "" />
<cfset f_permissions = myFusebox.getCurrentFuseaction().getPermissions(inheritFromCircuit,useCircuitTrace) />
<cfset c_permissions = myFusebox.getCurrentCircuit().getPermissions(inheritFromCircuit,useCircuitTrace) />
<cfif ListLen (f_permissions, ',' )>
<cfset plugin.isAllowed = FALSE >
<cfloop list= "#f_permissions#" index="aPermission" >
<cfif ListFindNoCase (roles, aPermission, ',' )>
<cfset plugin.isAllowed = TRUE >
<cfbreak>
</cfif>
</cfloop>
<cfelseif ListLen (c_permissions, ',' )>
<cfset plugin.isAllowed = FALSE >
<cfloop list= "#c_permissions#" index="aPermission" >
<cfif ListFindNoCase (roles, aPermission, ',' )>
<cfset plugin.isAllowed = TRUE >
<cfbreak>
</cfif>
</cfloop>
<cfelse>
<cfset plugin.isAllowed = TRUE >
</cfif>
<cfif NOT plugin.isAllowed >
<cfthrow
type= "fusebox.securityException"
message= "Permissions error"
detail= "The fuseaction <strong>#myFusebox.thisFuseaction#</strong> in circuit <strong>#myFusebox.thisCircuit#</strong> requires certain permissions (#f_permissions# / #c_permissions#) which you do not possess."
/>
</cfif>
If a security exception is found this will throw an error. Fusebox itself will pick up this error up if you add the following to fusebox.xml :
< phase name="processError ">
< plugin name="securityException " />
</ phase>
NOTE: your plugin error page "/plugins/securityException.cfm " should be the same as the exception name
<cfthrow type="fusebox.securityException " ... />
Then within you exception page (securityException.cfm) use the cfcatch tag to handle the error i.e.:<cfcatch type= "fusebox.SecurityException">
<cfoutput>
<h1> Ooooopppsss! You can't do that!</h1>
<p> #cfcatch.message#</p>
<p> #cfcatch.detail#</p>
« <a href="javascript: history.go(-1)"> back</a>
</cfoutput>
</cfcatch>
<cfoutput>
<h1> Ooooopppsss! You can't do that!</h1>
<p> #cfcatch.message#</p>
<p> #cfcatch.detail#</p>
« <a href="javascript: history.go(-1)"> back</a>
</cfoutput>
</cfcatch>
There are no comments for this entry.
[Add Comment]