• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
session/logged-in user valid for a specific component only?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

session/logged-in user valid for a specific component only?

  • Subject: session/logged-in user valid for a specific component only?
  • From: ocs--- via Webobjects-dev <email@hidden>
  • Date: Sun, 9 Jan 2022 16:21:30 +0100
Hi there,

I've got a pretty old application, the standard structure: there's Session
which (among others) contains a property currentUser containing the user who
has logged in and in whose account changes are performed. There is an
OCSComponent extends ERXComponent with generic component services (many of
which depend on session and/or its currentUser), and all my components inherit
this.

Now I've got a new request to allow a given user to connect to _one specific
page_ in the application through a specific URL _without a login_ and do his
work in that page.

I can easily generate appropriate URL for a direct action, which would set up a
session and open the desired page, that's easy.

What I can't quite see is how to prevent the user to go elsewhere in the
application (e.g., by manually editing the URL) and stay logged in. Is there
some trick for that?

So far I could think of two solutions:

(i) add a property allowedPage to Session, and in my direct action set it up
appropriately. Then in the shared component awake at OCSComponent level I could
check whether this==allowedPage and log out the user if not.

This looks like a good solution, but I am not entirely sure whether I am not
overlooking some tricky way the user still might stay logged in and get to
another page (without its awake performed)... is it completely safe?

(ii) write a complete new page code (ERXComponent-based, skipping OCSComponent
altogether) for the specific page, which would contain and use its own
component-level currentUser. The direct action would set this up and leave
session.currentUser empty.

This is self-evidently completely safe, but a _lot_ of legwork :/

Can you see another, better solution? Or can you see that (i) is indeed safe
enough?

Thanks and all the best (especially happy and successful new year),
OC

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: session/logged-in user valid for a specific component only?
      • From: Aaron Rosenzweig via Webobjects-dev <email@hidden>
    • Re: session/logged-in user valid for a specific component only?
      • From: Markus Ruggiero via Webobjects-dev <email@hidden>
  • Prev by Date: Re: com.webobjects.foundation.NSTimeZone ... exception
  • Next by Date: Re: session/logged-in user valid for a specific component only?
  • Previous by thread: Re: com.webobjects.foundation.NSTimeZone ... exception
  • Next by thread: Re: session/logged-in user valid for a specific component only?
  • Index(es):
    • Date
    • Thread