ColdBox Security Module
Search…
v2.x
Introduction
Intro
Release History
About This Book
Author
Getting Started
Installation
Overview
Configuration
Usage
Authentication Services
Security Rules
Security Annotations
Secured URL
Interceptions
cbSecurity Model
secure() Blocking Methods
Verification Methods
Authorization Contexts
Securing Views
Cross Site Request Forgery
Security Validators
CBAuth Validator
CFML Security Validator
Custom Validator
JWT
JWT Services
JWT Validator
Refresh Tokens
Token Storage
JWT Interceptions
External links
Source code
Issue Tracker
cbauth
cbcsrf
JWT CFML
Powered By GitBook
secure() Blocking Methods

The secure() Methods

Now that you have access to the model, you can use the following method to verify explicit permissions and authorize access. This method will throw an exception if the user does not validate the incoming permissions context (NotAuthorized).
1
// Verify the currently logged in user has at least one of those permissions,
2
// else throw a NotAuthorized exception
3
cbSecurity.secure( permissions, [message] );
4
cbsecure().secure( permissions, [message] );
Copied!
  • The permission can be an array, string or list of the permissions to validate. The user must have at least one of the permissions specified.
  • The message is a custom error message to be used in the message string of the exception thrown.
You also have two more authorization methods that will verify certain permission conditions for you:
1
// Authorize that the user has ALL of the incoming permissions
2
cbSecurity.secureAll( permissions, [message] );
3
// Authorize that the user has NONE of the incoming permissions
4
cbSecurity.secureNone( permissions, [message] );
Copied!

Conditional Authorizations Using when()

There are also cases where you want to execute a piece of code by determining if the user has access to do so. For example, only a USER_ADMIN can change people's roles or you want to filter some data for certain users. For this, we have created the when() method with the following signature:
1
when( permissions, success, fail )
Copied!
  • The permissions is a permission array or list that will be Or'ed
  • The success is a closure/lambda or UDF that will execute if the permissions validate.
  • The fail is a closure/lambda or UDF that will execute if the permissions DID not validate, much like an else statement
Both closures/functions takes in a user which is the currently authenticated user, the called in permissions and can return anything.
1
// Lambda approach
2
( user, permissions ) => {
3
// your code here
4
};
5
// UDF/Closure
6
function( user, permissions ){
7
// your code here
8
}
Copied!
You can also chain the when() calls if needed, to create beautiful security contexts. So if we go back to our admin examples, we can do something like this:
1
var oAuthor = authorService.getOrFail( rc.authorId );
2
prc.data = userService.getData();
3
​
4
// Run Security Contexts
5
cbSecure()
6
// Only user admin can change to the incoming role
7
.when( "USER_ADMIN", ( user ) => oAuthor.setRole( roleService.get( rc.roleID ) ) )
8
// The system admin can set a super admin
9
.when( "SYSTEM_ADMIN", ( user ) => oAuthor.setRole( roleService.getSystemAdmin() ) )
10
// Filter the data to be shown to the user
11
.when( "USER_READ_ONLY", ( user ) => prc.data.filter( ( i ) => !i.isClassified ) )
12
​
13
// Calling with a fail closure
14
cbSecurity.when(
15
"USER_ADMIN",
16
( user ) => user.setRole( "admin" ), //success
17
( user ) => relocate( "Invaliduser" ) //fail
18
);
Copied!
We have also added the following whenX() methods to serve your needs when evaluating the permissions:
1
// When all permissions must exist in the user
2
whenAll( permissoins, success, fail)
3
// When none of the permissions exist in the user
4
whenNone( permissions, success, fail )
Copied!
Usage - Previous
cbSecurity Model
Next
Verification Methods
Last modified 22d ago
Copy link
Edit on GitHub
Contents
The secure() Methods
Conditional Authorizations Using when()