> I have an object (company) that contains all the pertinent > information/methods for viewing/updating a company profile. Some users are > only allowed to view the profile while others are given the ability to > modify the information. Should the company object accept a user object that > contains permissions and roles and allows actions based on it, or should I > have a security object that would call the company object? > > I guess what I'm getting at is where do you put your security? Does it make > sense to embed it into objects or does that make it too complex?
Is there a reason why you're not using CFLOGINUSER then restricting method access using the roles attribute of CFFUNCTION? To handle the user interface, controls can be selectively displayed using tests on the result of one or more calls to IsUserInRole(). ColdFusion MX's built-in security framework (CFLOGIN and its related tags and functions) works very well as long as you treat roles the way they were originally intended: as established roles that users play in a system, and not as individual permissions. I have seen some very elaborate schemes for group permissions and anti-permissions with another layer of individual user permissions and anti-permissions on top of that, but that really is the wrong way to go, in my opinion. Things get easily confused, and it's often easy to accidentally assign a high-ranking individual permission to a person who is nowhere near authorized to have such a permission, then have that mistake go undiscovered for a long time. A clearly defined set of roles discovered through a rigorous requirements gathering process eliminates such dangers. Use these roles directly in ColdFusion MX's security framework, and you should be good to go. Respectfully, Adam Phillip Churvis Member of Team Macromedia Advanced Intensive Training: * C# & ASP.NET for ColdFusion Developers * ColdFusion MX Master Class * Advanced Development with CFMX and SQL Server 2000 http://www.ColdFusionTraining.com Download CommerceBlocks V2.1 and LoRCAT from http://www.ProductivityEnhancement.com The ColdFusion MX Bible is in bookstores now! ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev' in the message of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by Mindtool, Corporation (www.mindtool.com). An archive of the CFCDev list is available at www.mail-archive.com/[EMAIL PROTECTED]
