My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
devPermissions  
This page talks about permissions in SOS based applicaitons.
Updated Dec 1, 2011 by sosensible

SOS Basics > Developer Overview > Permissions

Introduction

Permissions is an important part of not just security but properly exposing features based on a user's roles. In SOS there are three basic tables that determine the roles with the relational tables as a given assumption here.

  • User
  • Groups
  • Roles

Groups

Each group is given feature exposure on sites based on the groups that he belongs to. The groups are connected also to the roles. So based on the groups a user will have roles based permissions and features of a site made available.

Why manage by groups rather that straight roles? It seems mildly more complex at first but when you want to have a sustainable solution and put more than one person in a role it starts to make sense. You can think about it like a company organizational chart. Rather than assigning the ability of the accountant to get in the safe you give accountants the ability to get in the safe. In fact you might have a number of safes for your business. Each safe can be a role in this illustration and giving someone the role of accountant adds them to all safes. This also means you can create different groups of accountants with access to different things. Just adding them to the group gives them access to the associated roles. Of course this means when you add someone new to your site it becomes increasingly simplified to assign the relevant roles because you just connect them to the appropriate groups. Also note that if there is a role shared by more than one group the sytem is smart enough to only pass it to the user one time.

Roles

Roles are the keys to the treasures of SOS web sites. In some respects it is the way to prevent clutter you don't care about. Who wants to see a bunch of content that has nothing to do with you. Either way the roles work to achieve this. 

// code check for user permission
if(session.user.isAuthorized('admin')){
  // special code goes here if authorized it will run
}

or 

<cfif session.user.isAuthorized('admin')>
  <!--- This is likely how you would wrap a bit of display code in SOS. --->
</cfif>

One thing of interest is that the permissions in SOS go beyond the login permissions standard in ColdFusion. In ColdFusion you can pass a list of "AND" based permissions and they must all exists. Using the pipe "|" character for OR based permissions in addition to the "," for AND you get both AND and OR logic which makes for a much more flexable logic.


Sign in to add a comment
Powered by Google Project Hosting