Custom Validator

Registration

In order to register your own custom security validator just open the config/Coldbox.cfc and add the validator key with the value being a WireBox ID that points to your object that will provide the validation.
config/Coldbox.cfc
1
moduleSettings = {
2
cbSecurity = {
3
validator = "SecurityService"
4
}
5
}
Copied!

Validator Interface

A security validator object is a simple CFC that implements the following functions
cbsecurity/interfaces/IUserValidator.cfc
1
/**
2
* Copyright since 2016 by Ortus Solutions, Corp
3
* www.ortussolutions.com
4
* ---
5
* All security validators must implement the following methods
6
*/
7
interface{
8
9
/**
10
* This function is called once an incoming event matches a security rule.
11
* You will receive the security rule that matched and an instance of the ColdBox controller.
12
*
13
* You must return a struct with two keys:
14
* - allow:boolean True, user can continue access, false, invalid access actions will ensue
15
* - type:string(authentication|authorization) The type of block that ocurred. Either an authentication or an authorization issue.
16
*
17
* @return { allow:boolean, type:string(authentication|authorization) }
18
*/
19
struct function ruleValidator( required rule, required controller );
20
21
/**
22
* This function is called once access to a handler/action is detected.
23
* You will receive the secured annotation value and an instance of the ColdBox Controller
24
*
25
* You must return a struct with two keys:
26
* - allow:boolean True, user can continue access, false, invalid access actions will ensue
27
* - type:string(authentication|authorization) The type of block that ocurred. Either an authentication or an authorization issue.
28
*
29
* @return { allow:boolean, type:string(authentication|authorization) }
30
*/
31
struct function annotationValidator( required securedValue, required controller );
32
33
}
Copied!
Each validator must return a struct with the following keys:
  • allow:boolean A Boolean indicator if authentication or authorization was violated
  • type:stringOf(authentication|authorization) A string that indicates the type of violation: authentication or authorization.

Example

Here is a sample validator using permission based security in both rules and annotation context
models/SecurityService.cfc
1
struct function ruleValidator( required rule, required controller ){
2
return permissionValidator( rule.permissions, controller, rule );
3
}
4
5
struct function annotationValidator( required securedValue, required controller ){
6
return permissionValidator( securedValue, controller );
7
}
8
9
private function permissionValidator( permissions, controller, rule ){
10
var results = { "allow" : false, "type" : "authentication", "messages" : "" };
11
var user = security.getCurrentUser();
12
13
// First check if user has been authenticated.
14
if( user.isLoaded() AND user.isLoggedIn() ){
15
// Do we have the right permissions
16
if( len( arguments.permissions ) ){
17
results.allow = user.checkPermission( arguments.permission );
18
results.type = "authorization";
19
} else {
20
results.allow = true;
21
}
22
}
23
24
return results;
25
}
Copied!
That's it! Go validate!
Copy link
Edit on GitHub