Object "access permission" questions

I already have a solution to this problem that will work if there aren't any other solutions that would be better to use but I just thought I would ask if there is any conventional way to do this and whether or not my method for granting access is secure.

File systems grant access to file system objects based on a permission systems (as long as the OS supports such an approach).

I need to control access to objects in a similar fashion. I have two base classes and an enum involved in objects that require permission:

The enum: ExposurePermission defines the level of access.

Objects that require permission in order to be accessed inherit the LimitedAccessObject base class. This class has a method permissionLevel() that exposes the ExposurePermission needed.

Objects that can manipulate a LimitedAccessObject must inherit from the AccessAgent base class. This has a clearanceLevel() that exposes the ExposurePermission that object has.

Access to the LimitedAccessObject should only be granted if AccessAgent:clearanceLevel() >= LimitedAccessObject::permissionLevel()

I want to be able to check permissions within the accessor functions of the LimitedAccessObject themselves... however I don't know if that is possible without requiring a pointer to the AccessAgent to be sent to the accessor each time. I find this cumbersome and inefficient.

So here are my questions:
1. Is there any way to find out the object that called another object's function by using the call stack?
2. Is there any other way to implicitly accomplish this within an objects accessor?
3. How easy would it be to hack access using the above system? Should I use something more secure?
It sounds like you are over-engineering something.

What exactly are you trying to accomplish with this?

(Keep in mind, your code has explicit access to all the objects you use in your code. The only access restrictions are OOP-related -- maintain local state and forbid foreign objects from playing with an object's internals.)
It is an application that hosts scripts and other elements. Different users of the application have different levels of access to objects. In addition, scripts can be written and/or used by people with different levels of access. Functions themselves can also have different levels of access. See this post if you want/need a few more details: http://www.cplusplus.com/forum/general/197471/

The simplest example would be enabling and disabling UI elements. Lets say a script with a certain level of access wants to disable a certain UI element. That element will have a certain base level of access required to change the status (in this case enable or disable) of that element. If the script has a high enough "credential", the script will then be able to change the status of that UI element and disable it. While the script is running that UI element then is assigned a new level of access equivalent to the script. So if a user with a lower access level than the script tries to change the status of the object, they are not able to.

Once the script is done, the access level for the object goes back to its base level and then the user (if he has the required access level) can enable or disable the object.
Last edited on
Topic archived. No new replies allowed.