Re: Model-View-Controller and user permissions
Re: Model-View-Controller and user permissions
- Subject: Re: Model-View-Controller and user permissions
- From: Ramsey Gurley <email@hidden>
- Date: Tue, 19 Jul 2011 12:02:01 -0700
On Jul 19, 2011, at 11:44 AM, Chuck Hill wrote:
>
> On 2011-07-19, at 11:36 AM, Amy Worrall wrote:
>
>>> I'd centralize all knowledge of this in some object like SecurityManager whose job it is authorize user actions. You could provide access to that via the session, but I think a better approach is to use ERXThreadStorage and access it via the thread. That way you avoid needing the component-session link.
>>
>> Sounds good. So, if I were using Direct2Web, I could have delegate
>> methods that call the SecurityManager to check that a certain action
>> is allowed?
>
> That sounds right, but I will defer to someone who is more of a D2W guru than I. Which is almost everyone.
If you are using a branch delegate, you can do it in the defaultBranchChoices method. If the user can't edit a profile, don't return the edit profile choice in the choices array, and they will never see it... unless you override the defaults in your rules.
>
>
>> I guess I should have a method like userCanEditProfile(User
>> userToCheckPermissions, User targetProfile), returning a boolean, so
>> that SecurityManager doesn't need to hit the session itself?
>
> The Security manager would be created with the user. So in my mind, the request would be more like
> securityManager().userHasPermissionFor(Permission.CanEditProfile, targetProfile)
Alternately, the security manager could get the user from the thread too. The method signature would still look the same.
ERCoreBusinessLogic does this with the 'actor'. You can look at bug tracker to see an example. Just store the user on the session, then you can put the user on the thread local at session.awake() and remove it from the thread local on session.sleep().
In ERAuth, I manage the 'actor' with ERStageManager (yeah, my class names need help) so the session never even has to know about the user.
https://github.com/nullterminated/ponder/blob/master/ERAuth/Sources/er/auth/ERStageManager.java
I just call ERStageManager.INSTANCE.setActor(user) after a successful login and I'm done (^_^)
>
>
>> Thanks for your help so far everyone. For me, the hardest part of
>> using WO is knowing what's best practice in a certain situation. Your
>> replies are all very helpful.
>
>
> Onward and upward! :-)
>
> Chuck
>
> --
> Chuck Hill Senior Consultant / VP Development
>
> Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems.
> http://www.global-village.net/products/practical_webobjects
>
>
>
>
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden