Sorry, I don't think I did the best job explaining it. My approach is definately not the standard setup. The key here is abstraction; abstracting any group membership checks from templates. I'll try and lay it out a bit more simply:
Now, let's say you have one single template called message.cfm, and it can perform 4 actions: read, post, edit, delete. How that template knows what action to perform is based on the URL attribute passed (i.e. message.cfm?action=edit) - nothing special here. Now, the standard setup that I've seen goes as following: Most applications might have 3 user levels, admin, moderator, user. So, there will be a check in the processing portion of the message.cfm template that checks to see if the user has access to perform that action. So you have something like the following somewhere in the template: retrieve userlevel if userlevel=admin allowedtodelete=true allowedtoedit=true allowedtopost=true allowedtoread=true if userlevel=moderator allowedtodelete=false allowedtoedit=true allowedtopost=true allowedtoread=true if userlevel=user allowedtodelete=false allowedtoedit=false allowedtopost=true allowedtoread=true endif if URL.action=delete & allowedtodelete delete message end if Obviously this might not be the best example, but I think it should illustrate my point. So, based on whatever group the user is a member of, they'll be able to perform certain actions in the template message.cfm. What I don't like about the example above is that I had to hard-code those checks in the template - in other words, I am explicitly coding admin, moderator, and user into the file. What happens if I decide I want to add a super-moderator level to the whole application? Now I need to go into every file and update the processing section to include super-moderator; that could be very time-intensive. Now here's my solution. I want to abstract any group checking processing from the templates. The template shouldn't "care" about group names or users or what not, it just needs to know if it's allowed to do something. So, take the same example as above but rewrite it: <cf_securitycheck actions="delete,edit,post,read"> if url.action=delete & caller.actiondelete delete message end if Here's what happens: A user calls message.cfm?action=delete. The cf_securitycheck tag checks to see if the user is logged in. If the user is logged in, it then looks up the actions stored in the database for message.cfm (lets assume the file has previously been registered in the database and permissions have already been set). The simplified relational tables may look like this: FILE ACTIONS GROUPS message.cfm read users, admins, mods message.cfm post users, admins, mods message.cfm delete admins message.cfm edit admins, mods It looks in the database to see if the groups that the user is a member of have access to any of those actions. Then, any of the actions that the user is entitled to, it sets a variable to TRUE that the message.cfm template can see using the caller scope (i.e. cfset caller.deleteaction=true). So, let's say the user is a member of mods, it will return three variables set to TRUE to message.cfm: caller.actionread, caller.actionpost, and caller.actionedit. Now all you need to do in message.cfm is do a check to see if any of those variables were set to true and perform processing accordingly. Obviously it's somewhat complicated, and probably really database intensive, but it nicely abstracts any user processing from the end template (message.cfm in my example). This idea is purely theoretical right now as I haven't figured out all of the nitty gritty details. I might end up scrapping the idea because it is so database intensive, but I will still give it a try. For my application I may be adding and removing groups throughout the life of the application and I don't want to be adding group checks into the processing sections of the templates. So does that make any sense at all? Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217320 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
