ColdFusion:基于角色的应用程序选项? [英] ColdFusion: Application Options Based on Role?
问题描述
我了解如何通过实施< cflogin> 和角色来限制整个页面,甚至组件。例如:
I understand how to restrict entire pages, or even components by implementing <cflogin> and roles. For example:
<cfif IsUserInRole("Admin") OR IsUserInRole("Accounting")>
...You can view this page...
<cfelse>
...You can not view this page...
</cfif>
但是如何建议限制页面的某些方面?例如,管理员允许向所有用户发送全局消息,但该选项不能用于常规用户。
But how is it recommended to restrict certain facets of a page? Say for example an "Admin" is allowed to send Global Messages to all users, but that option is not available for a regular "User"
我想我可以使用会话操作我的Views(页面)。
I suppose I could use the Session to manipulate my Views (pages). How is this typically handled?
推荐答案
你是对的,保护页面和保护元素是不同的。
You're right, securing a page and securing elements is different.
在我看来,在实践中,我认为将任何代码绑定到角色或用户实际上是错误的方法。相反,将权限绑定到元素和页面,然后将角色绑定到这些权限。
In my opinion and in practice, I think tying any code to a role or user is actually the wrong approach. Instead, tie permissions to elements and pages - then tie roles to those permissions. And of course, users are assigned roles.
重要的是拥有以下三个:
It is important to have all three :
- 使用者
- 角色
- 权限< - 这是您缺少的资料
权限是什么安全元素和页面,不是角色或用户您的代码应该没有线索(因为它不需要)什么用户或角色有 - 只是权限的名称。
Permissions are what secure elements and pages, not roles or users Your code should have no clue (because it doesn't need to) what users or roles there are - just names of permissions.
当用户登录时,我抓住他们的角色。然后我获取分配给这些角色的所有权限(只是一个字符串值列表)。
When a user logs in, I grab their role(s). Then I grab all the permissions that are assigned to those roles (simply a list of string values).
例如,在一个页面上可能有:
For example, on a page I might have :
- 添加项
- 查看项目
-
- Add item
- View item
- Delete item
当我编写该页面时,我实际上使用名为similar(addItem,viewItem,deleteItem)的权限字符串来保护每个元素。
When I code that page, I actually secure each of those elements with permission strings named similar ( addItem, viewItem, deleteItem).
<cfif listContainsNoCase( session.permissions, 'addItem' )>
<!--- code to add item --->
</cfif>
(注意:我建议为此使用自定义标记或函数,上面的工作很好)。
(Note: I recommend using a custom tag or function for this, but for purposes of an example, the above works fine).
如果你这样做,它提供了最大的灵活性和抽象。如果您根据角色安全元素,就会限制自己:
If you do it this way, it provides maximum flexibility and abstraction. If you secure elements based off of roles, you limit yourself :
- 添加新角色需要进行大量代码更改!
- 更改角色之间的权限需要大量代码更改!
将永远不需要在代码库中更改您的安全代码,因为addItem权限应该总是在添加项目逻辑,对吧? :)
If you do it as mentioned above, you will never need to change your security code within the code base, because "addItem" permission should always be on the "add item" logic, right? :)
现在,如果你需要创建一个经理类型的角色,它拥有所有的用户角色和几个管理员权限,你只需创建一个角色,并为其分配正确的权限(也许是addItem和editItem,但不是deleteItem)。 Bam!
Now if you happen to need to create a "manager" type role, that has all the user roles and a select few admin rights, you simply create that role, and assign it the correct permissions (maybe addItem and editItem, but not deleteItem). Bam! Now I have a manager role to assign to users with no code changes!
如果我使用is user this role这个字符来代替我的代码,类型的东西 - 我必须去编辑我的代码无处不在,以允许我的新角色经理 - yuck!
If I had sprinkled my code with "is user this role" type of stuff - I would have to go edit my code everywhere to allow my new role "manager" - yuck!
有意义吗?
=)
这篇关于ColdFusion:基于角色的应用程序选项?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
