Introduction
Object specific permissions are permissions that apply to each instance of a type. Navigation is an example of this: you can deny view access to a part of your website simply by changing the permissions for that Navigation item in the site tree.
With the refactoring of security in the Fortress release it is much easier to extend or modify the security model. One of the newer features is that it is now possible to add object specific permissions - that is restrict actions on a specific content objects to specific roles.
Revisiting permission classes
As of FarCry 5.0 there are 4 permission classes. Some of these overlap in the way they are represented in the database but have different effects.
Class | Description | Management location |
|---|---|---|
Webskin | Defines the webskins that a role can access. | By editing a role |
Type | Defines the actions a role can perform across a type. i.e. a contributor can edit news but not approve it, a publisher can do anything with news | By editing a role |
Object | Defines the actions a role can perform on a specific object. By default only dmNavigation objects have these. | From site tree: right-click -> Manage permissions, from Overview -> Miscellaneous -> Manage permissions. ManagePermissions permission is needed to access this functionality. |
General | Arbitrary flags that are accessed at specific points in the code. e.g. webtop menu permissions | By editing a role |
COAPI / database schema
Object specific permissions are stored in the farBarnacle type.
...
| Note |
|---|
If you use setData the objecttype field will be populated and the security cache updated automatically. |
Example: Adding object permissions to dmFile
Step 1: Extending farBarnacle
The types that can have object permissions is defined by the Barnacle type. The referenceid property contains which object the "Barnacle" is attached to. By extending farBarnacle and changing the ftJoin metadata attribute we can add dmFile to the system.
| Code Block | ||
|---|---|---|
| ||
<cfcomponent displayname="Barnacle" hint="Used to grant an item specific permissions." extends="farcry.core.packages.types.farBarnacle" output="false"> <cfproperty name="referenceid" type="uuid" default="" hint="The object this barnacle is attached to" ftSeq="3" ftFieldset="" ftLabel="Object" ftType="uuid" ftJoin="dmNavigation,dmFile" /> </cfcomponent> |
Step 2: Defining the permission
Now we need to flag a specific permission as being an object permission for dmFile. You can create your own, but I just want to restrict access restrictions, so I'm going to use View.
...
In the "Join on" list select File as well, and save. Make sure you don't unselect Navigation as this would screw up site tree permissions.
Step 3: Reload security
At this point it is a good idea to clear the security cache. You can do this either with the updateapp=1 flag in the url, or by going to Webtop -> Admin -> Reload application, selecting Security, and clicking Update Application.
You have now set up file by file restrictions.
Step 4: Managing the permissions
If you try to access files you have set up in your application you will now get a message saying "You have been denied access to this item". This is the default response when a user is viewing an object or webskin without permission.
...