Checking permissions on QuickJump navigation commands

Keep the following security issues in mind as you create navigation commands for the QuickJump box.

Subclassing StaticNavigationCommand

Commands that implement this subclass check the canVisit permission by default to determine whether a user has the necessary permission to see that QuickJump option in the QuickJump box. The permission hole in this case arises if permissions were in place for all approaches to the destination but not on the destination itself.

For example, suppose that you create a new QuickJump navigation for NewNotePopup. Then suppose that previously you had placed a permission check on all New Note buttons. In that case PolicyCenter would have checked the Note.create permissions. However, enabling QuickJump navigation to NewNotePopup bypasses those previous permissions checks. The best practice is to check permissions on the canVisit tag of the actual destination page, in this case, on NewNotePopup.

Subclassing ContextualNavigationCommand

As with StaticNavigationCommand subclasses, add permission checks to the destination page's canVisit tag.

Subclassing ParameterizedNavigationCommand

Classes subclassing ParameterizedNavigationCommand have the (previously described) method called isPermitted, which is possible for you to override. This method—isPermitted—controls whether the user can see the navigation command in the QuickJump box. After a user invokes a command, PolicyCenter performs standard permission checks (for example, checking the canVisit expression on the target page), and presents an error message to unauthorized users.

It is possible for the canVisit expression on the destination page to return a different value depending on the actual parameters passed into it. As a consequence, PolicyCenter cannot determine automatically whether to display the command to the user in the QuickJump box before the user enters a value for the parameter. If it is possible to manually determine whether to display the command to the user, check for permission using the overridden isPermitted method. (This might be, for example, from the destination's canVisit attribute.)