You can write your own custom validators with CBSecurity
Registration
In order to register your own custom security validator just open the config/Coldbox.cfc and add the validator key with the value being a WireBox ID that points to your object that will provide the validation.
A security validator object is a simple CFC that implements the following functions
cbsecurity/interfaces/IUserValidator.cfc
/** * Copyright since 2016 by Ortus Solutions, Corp * www.ortussolutions.com * --- * All security validators must implement the following methods */interface{/** * This function is called once an incoming event matches a security rule. * You will receive the security rule that matched and an instance of the ColdBox controller. * * You must return a struct with three keys: * - allow:boolean True, user can continue access, false, invalid access actions will ensue * - type:string(authentication|authorization) The type of block that ocurred. Either an authentication or an authorization issue * - messages:string Info/debug messages * * @return{ allow:boolean, type:string(authentication|authorization), messages:string } */ struct functionruleValidator( required rule, required controller );/** * This function is called once access to a handler/action is detected. * You will receive the secured annotation value and an instance of the ColdBox Controller * * You must return a struct with three keys: * - allow:boolean True, user can continue access, false, invalid access actions will ensue * - type:string(authentication|authorization) The type of block that ocurred. Either an authentication or an authorization issue * - messages:string Info/debug messages * * @return{ allow:boolean, type:string(authentication|authorization), messages:string } */ struct functionannotationValidator( required securedValue, required controller );}
Each validator must return a struct with the following keys:
allow:boolean A Boolean indicator if authentication or authorization was violated
type:stringOf(authentication|authorization) A string that indicates the type of violation: authentication or authorization.
messages:string Info/debug/error messages
Example
Here is a sample validator using permission based security in both rules and annotation context
models/SecurityService.cfc
struct functionruleValidator( required rule, required controller ){returnpermissionValidator( rule.permissions, controller, rule );}struct functionannotationValidator( required securedValue, required controller ){returnpermissionValidator( securedValue, controller );}private functionpermissionValidator( permissions, controller, rule ){var results = { "allow":false,"type":"authentication","messages":"" };var user =security.getCurrentUser();// First check if user has been authenticated.if( user.isLoaded() ANDuser.isLoggedIn() ){// Do we have the right permissionsif( len( arguments.permissions ) ){results.allow =user.checkPermission( arguments.permission );results.type ="authorization"; } else {results.allow =true; } }return results;}
That's it! Go validate!
The configured authentication service must adhere to our IAuthService interface and the User object must adhere to the IAuthUser interface.
Remember that a validator can exist globally and on a per ColdBox Module le