Concrete CMS has always had a strong permissions model, with authentication, users and groups, and deep access control on objects like pages, files and users. In version 5.6, this model became even more flexible, with the ability to assign combination groups, group sets, and even custom permission access entities to a developer's own custom permission. Here we're going to delve into how a Concrete developer can make use of Concrete's permissions model – from the simplest operations like checking to see if the current user can perform a certain operation on an object, to advanced tasks like creating your own permissions.

Concrete has also always taken security very seriously. We've always employed a database access layer to combat attacks like SQL injection, and we have a number of built-in libraries to make it easy to harden your applications against other common nuisances like cross-site scripting attacks and cross-site request forgery attacks. Read on to learn how to use them.