webCOMAND Docs
Developer Guide
Web Apps
Users FrameworkUsers Framework
webCOMAND provides a framework for user management, authorizations and custom logins.
io_comand_users - Defines the base User content type, without login credentials.
io_comand_auth - Adds User Role, Authorization and Privilege content types.
io_comand_login - A framework for user credentials and login functionality.
Users App - A user interface to manage Users, User Roles and Login Policies.
Users
The best place to start is to set up a database of users. You will need to decide which content type will store user information. There are three main options:
- User Content Type - Use the built-in User content type if it provides everything your website or app requires. This is the easiest way to go, and you will get all of the features and functionality afforded to webCOMAND Users. The same User record can provide access to webCOMAND, webCOMAND Apps and/or your website and app.
- Extend User Content Type (Recommended) - To add information to the built-in User content type, extend it to get the best of both worlds. Define your own content type that extends User to add your custom fields, but inherit all of the features and functionality afforded to webCOMAND Users.
- Custom Content Type - If you aren't interested in inheriting any of the built-in webCOMAND User features and functionality, you can create your own unique user content type with only the fields, features and functionality you want. In this situation, create a content type that extends cObject, Content or any other content type you like.
Authorizations
Once you have a user content type, you are ready to populate the database with an initial user and set up authorizations.
Built-in User
If you use or extend the built-in User content type, you can add and configure Users, User Roles and Authorizations in the Users App.
The most important authorization is the "System Administrator" checkbox in the User. When checked, the user will be authorized to do anything in most apps. It is highly recommended that your website or app do the same, and that only highly-trusted users are given that authorization, if any.
There are a few ways to can add custom authorizations and privileges.
- Privileges - To add simple custom authorizations, create new Privileges.
- Authorizations - To add custom authorization functionality, create a new content type that extends authorizations with the appropriate fields and then implement the authorizations methods in a corresponding model for the new content type.
- Attributes - To add more customized authorizations and user features, create new content types that reference Users or User Roles.
Custom Users
If you are using a custom content type, it is up to you to determine how authorizations will be stored. They can be stored in fields within the custom content type, or as attributes that reference the user content type, such as roles and/or individual user-specific authorizations.
Credentials
Once users and authorizations are set up, credentials will be required to authenticate users against passwords, tokens and other information.
User credentials are generally stored as User attributes (objects that reference the user they apply to). A number of built-in User Credentials are provided by io_comand_login, including:
- Security Questions - Questions and answers typically used to verify a user in order to reset their password or other credentials.
- User Passwords - A secret code used to authenticate a user against text entered into an input.
- User Reset Codes - A temporary code typically emailed or otherwise shared with a user to start the process to reset a password or other credentials.
- User Tokens - A secret code used to authenticate a software user against text provided as part of a web request or other API call.
Login Policies
A login policy defines Login Models used to access, authenticate and authorize users, and Login Controllers to implement functionality, such as the login and "forgot password" processes.
Select one of the following login policies to learn more about how it is implemented and how it can be used by your website and/or apps.