[Bese-devel] unwinding

[Marco Baringer]

Jan Rychter <jan at rychter.com> writes:

> On a related note, I believe this functionality should be part of
> UCW. UCW should fully handle sessions and authorization, but not user
> credentials handling -- so it should have an API for hooking in user
> credential checking.

fair enough, every app i've ever written has dealt with that stuff.

> This will not be a simple API, because it isn't UCW's job to specify how
> a user should log in or what the credentials actually are, so external
> code will need to interact wich UCW here. But UCW should provide
> login/logout functionality and access rights checking at every point.

by login/logout functionality do you mean something more than the
login component? (maybe the login component needs to handle provide a
logout button?)

we can provide a simple component level hook with something like this:

(defmethod/cc call-component :before ((from standard-component) (to standard-component))
  (unless (check-user-credentials from to)
    (handle-bad-credentials from to)))

this would allow you to show/black each and every component depending
on the value returned by check-user-credentials,
handle-bad-credentials is an action whcih specifies what to do in the
case of bad credentials. these methods would be built in:

(defaction check-user-credentials ((from standard-component) (to standard-component))
  t)

(defaction handle-bad-credentials ((from standard-component) (to standard-component))
  (call 'error-message :message "Unauthorized."))

[since the 'error-message components does not provide a link which
calls ANSWER this method effectivly blocks the primary call-component
method from ever being called.]

could this be start? are you suggesting we go even farther and make
users, roles, acls and privaleges 'first-class' ucw concepts?

-- 
-Marco
Ring the bells that still can ring.
Forget the perfect offering.
There is a crack in everything.
That's how the light gets in.
	-Leonard Cohen