Programming Security: Security roots

Programming Security: Security roots

April 24, 2009 0 Comments

The content you're reading is getting on in years
This post is on the older side and its content may be out of date.
Be sure to visit our blogs homepage for our latest news, updates and information.

[This article is part of the documentation preview for the Programming Security section of the Developer manual. You can view the temporary TOC here]

Security roots are used internally by Sitefinity to link a module provider to Sitefinity's underlying security framework. You don't use it directly. You don't include it in your provider (well, not directly. More on that later in this article).

Why the word "root", then? The idea is that you can provide different permissions for different parts of your module. Take the Forums module, for example. Let us say we want to implement permissions for the whole Forums module - creating, deleting, modifying, etc. But you might want to add permissions per post as well. They all will use the same provider for their CRUD operations, so it makes sense that all security operations for this module and that have the same provider have something in common. This is the security root. Root, because it is the root of all security operations.

Implementing a Security Root

Security roots have to implement the abstract SecuredBase class. Here is how this is done in the sample Contacts pluggable module.

public class GlobalPermissions : SecuredBase 
    /// <summary> 
    ///     Initializes a new instance of <see cref="GlobalPermissions"/> class for a 
    ///     specified provider name. 
    /// </summary> 
    /// <param name="providerName">the name of the provider</param> 
    public GlobalPermissions(string providerName) 
    { 
        ContactsManager manager = new ContactsManager(providerName); 
        string var = manager.GetVariable(Variables.SecurityRootID); 
        if (String.IsNullOrEmpty(var)) 
        { 
            this.rootId = Guid.NewGuid(); 
            manager.SetVariable(Variables.SecurityRootID, this.rootId.ToString()); 
        } 
        else 
        { 
            this.rootId = new Guid(var); 
        } 
        this.securityManager = new SecNS.SecurityManager(manager.Provider.SecurityProviderName); 
    } 
 
    /// <summary>Read-only property. Gets the ID of the secured object.</summary> 
    /// <value><see cref="Guid"/> object.</value> 
    public override Guid ID 
    { 
        get 
        { 
            return this.rootId; 
        } 
    } 
 
    private Guid rootId; 
 

 

There are two important things that you should do in the constructor. First, you check if the security root's Id has been persisted for the current provider. If it was registered, use the registered value. If it was not persisted, create a new Guid and persist the value for this provider. The second thing you should do is initialize the securityManager field of the base class with a new instance of Telerik.Security.SecurityManager with the name of the used provider as a parameter to the constructor.

The property ID is just returning the persisted id of this security root.

As you might have noticed, it was mentioned earlier in this article that the security root is not part of the provider. However, we see that the provider is used to persist the value of the security root's Id.

 BEGIN NOTE

The term "security root" is going to be used throughout this manual, because this is the name used by the API. This way, when you encounter it, you won't wonder what it means. Ivan decided to name his security root GlobalPermissions. In fact, this serves as a naming convention in many of the built-in modules. If you don't like how "security root" sounds, you can name your class anything you want. Have in mind, though, that the more names you have for the same thing, the better the chance you will make your code confusing and difficult to read.

END NOTE


progress-logo

The Progress Guys

View all posts from The Progress Guys on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.

Comments
Comments are disabled in preview mode.
Topics
 
 
Latest Stories in
Your Inbox
Subscribe
More From Progress
d12fcc0bdb669b804e7f71198c9619a7
5 Questions Automakers Should Ask to Improve Asset Uptime
Download Whitepaper
 
SF_MQ_WCM
2018 Gartner Magic Quadrant Web Content Management (WCM)
Download Whitepaper
 
What-Serverless-Means-For-Enterprice-Apps-Kinvey
What Serverless Means for Enterprise Apps
Watch Webinar