>> -----Original Message----- >> From: S. Isaac Dealey [mailto:[EMAIL PROTECTED] >> Sent: Sunday, September 04, 2005 4:25 PM >> To: CF-Talk >> Subject: Re: Question about my security system >> >> > Here's the problem - what if there is a template called >> > users.cfm for modifying user accounts. Now that user >> > will also have edit, delete, post, and read access >> > unless you differentiate the entitlement sets like: >> > messageedit, message_delete, message_post, message_read, >> > user_delete, user_edit. What I'm saying is that not >> > every template on the site uses the same set of >> > entitlements. While one template can perform one set >> > of actions, another template might be doing something >> > completely unrelated. >> >> I'm sure that's how entitlements are differentiated in >> Jim's apps (message_edit, user_edit, etc).
> Nope. ;^) My apps are dumbasses. > The system just allows you make labels for things - you > get granular and do tasks or generic and do groups or > whatever - there's no difference in concept. > So far I've never needed more than generic "Admin", > "Editor", "Member" and "Visitor". Ahh, so you just do the one thing I expressly avoid. :P > I know - I've led a sheltered life. > It's also a tiny bit frustrating that spent so long > modeling and building this security system and all > I've ever needed from it is a four-way switch. ;^) Yes you have... wow... I'd have thought there'd be enough red-tape at a major insurance company to guarantee you abstracted the permissions beyond that. >> I personally hate security models that place role >> names in the page... imo the only thing an >> individual page should know about is the permission, >> and maybe the user (for performing >> impersonation or > I'm having the same problem here: I don't see any > conceptual difference between a role and permission. > The difference is all in the labeling and physical > concepts they represent, not the system level. Umm... no there's a pretty significant difference... Let me see if I can produce an example that illustrates it sufficiently: I produce software which I then give/sell to other people. The software comes with several roles "built-in" by default: Admin, Everyone, Anonymous. I have of course chosen what I believe to be the most logical set of permissions for each of these roles, but don't want to limit other people to only these roles. When someone else downloads my software and install it, there's a simple web-based interface through which they can create new roles and assign permissions for those roles. As the author, I have no idea what roles they have, or which roles have what permissions. However -- I'm still able to write software that integrates the security system, because I know what individual permissions are needed on any given page. If I put request.tapi.permit(x) in a page then any user who's a member of any role which has permission x will be able to use that page. If I went the other way and checked the user's role, I would either be locking people in to the hard-coded set of roles I chose for that permission, or I would be requiring them to edit the CFML code to change the permissions (bad mojo). Since I stick with just the permissions, people who download my apps are able to assign any permission to any role (custom or built-in except admin which gets everything) without ever changing any of the CFML. Does that make more sense now? >> otherwise checking to see if another user is >> permitted to perform a given task). And it's for >> the same reason you cite -- you can't then add >> roles without editing tons of different templates. >> There should be a single, logical and easy to use >> tool for updating user-roles and role-permissions >> in one place, and it shouldn't require extra > But you do have to create extra programming to add > permissions... so what's the difference? Umm... in most cases no I don't... The framework abstracts the permission to an individual process and then checks permission automatically... I do occasionally check the applicability of an alternate permission (for something other than the current process), but the system is designed such that someone who installs it elsewhere can actually create new permissions to secure sections of my application even if I didn't secure them, without writing any CFML. Moreover even if I am manually checking a specific permission within a page, the page doesn't know anything about what roles are granted to that permission, which allows the person who set up the app to administrate the role-permission many-to-many relationship within the simple web-gui provided. If I checked the roles in-page, they would have to edit the CFML, which to me is a CARDINAL SIN. Heck, I can even check permissions for processes which aren't included in the default set of permissions, i.e. "someone may apply a permission for process x even though I haven't, so if they have and the current user doesn't have it, then do this other thing". If a process isn't permissioned then by default anonymous users have access to it. If it's permissioned then by default no one but administrators have access to it. The anonymous (or public) role will let you give that permission back to anonymous users and the "everyone" role will let you give it back to anyone who's logged in. The issue as a whole is pretty common amongst CMS applications (or it was at one time). I remember looking at Red Dot and the marketing materials for that CMS at one time said "fantastic security which allows you to administer users in FIVE roles!" ... Wow! What amazing granularity... You mean, if none of those five pre-defined roles really encompass the set of permissions I want for a particular user I'm SOL?! Sweet! Sign me up! s. isaac dealey 954.522.6080 new epoch : isn't it time for a change? add features without fixtures with the onTap open source framework http://www.fusiontap.com http://coldfusion.sys-con.com/author/4806Dealey.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217353 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
