[Bese-devel] Re: Access Control best practice
Marco Baringer
mb at bese.it
Tue Nov 21 22:01:27 UTC 2006
"Vagif Verdi" <vagif at cox.net> writes:
> <quote>
> i generally have three parts to an app, the public part, the private
> part and the backoffice. by using a custom dispatcher and ordering the
> entry points i can "easily" (easy for me at least) control who sees
> what:
>
> (list
> action-handler
> public-entry-points
> ...
> (redirect-unless-logged-in)
> ...
> private-entry-points
> ...
> (redirect-unless-admin)
> ...
> backoffice)
>
> so i generally check for logged-in-ness whenever accessing a new
> entry-point.
> </quote>
>
> I like this approach, because you are writing code to check if user logged
> in only one time.
> And it would be great to see particular example included into ucw.
ok, i'll dig up the for the custom dispatchers.
> <quote>
> ...i do have methods defined on actions which require a login:
>
> (defaction whatever :before ((comp my-private-component) &rest other-args)
> (declare (ignore other-args))
> (unless (logged-in-p (get-session-value 'user))
> (call 'login-component)))
>
> [:before actions rock! by doing this i can call my login component,
> which is sometimes a login-or-register component from anywhere in my
> app and have it do the Right Thing(TM)]
> </quote>
>
> This approach I do not like (or maybe I misunderstand it)
> Do you mean that you have to write :before actions for every of your 50
> pages ?
i have hundreds of pages, but only one (or three) way to get at them
so i only write the before method once (or thrice) for the one (or
three) components which present the 'main menu' for the backoffice.
for example: whenever we want to add a new adopotion we need to be
logged in, so the add-adpotion defaction has a before method like the
on above. actually adding an adoption requires 5 different pages (and
about 8 componets) but since there's only one way to get at them i
only have one method to worry about. most of my 'pages' are just calls
to component so the url is alway index.ucw?s=...&f=...&a=...
do you actually have 50 different public pages all of which should be
book-mark-able? if do you're slightly out of luck (unless you convert
them all into tast-components)
--
-Marco
Ring the bells that still can ring.
Forget your perfect offering.
There is a crack in everything.
That's how the light gets in.
-Leonard Cohen
More information about the bese-devel
mailing list