> Sorry,
> I don't think I did the best job explaining it.
> My approach is definately not the standard setup.
> The key here is abstraction; abstracting any group
> membership checks from templates. I'll try and
> lay it out a bit more simply:
Hey Mike, you might have a look at the onTap framework's Members onTap
plugin, because it uses some similar concepts for handling
permissions. Even if you don't use the framework, you might be able to
get some ideas from it.
Rather than storing a record for each template, part of the template
path (discluding the file extension, i.e. .cfm) is prepended to the
unique identifier for each process
(function|entitlement|permission)... So for instance, you can have
/admin/index.cfm = admin/index
/admin/member/index.cfm = admin/member/index
/admin/member/index.cfm?netaction=edit = admin/member/index/edit
The process path (the right side of the equal sign) is the unique
identifier used for each permission. Information about the current
user is retreived from the session scope in the Application.cfm or
during the onRequestStart event of the Application.cfc. Once that data
is available, you can then call the permission function against any
permission in the system on any page like so:
<cfif request.tapi.permit("admin/member/index/edit")>
... display link to member edit page ...
</cfif>
This function is called once automatically for each request to ensure
the user has permission to use the requested process and if not the
user is redirected to the login page. Once they log in, any form or
url data that had been provided to the page prior to sending them to
the login is then returned to that page to complete their requested
process.
Also, because the permission path is abstract, there's no necessary
relationship between the permission path and a file... If you want a
permission to determine if a user can see something on a page without
creating a separate process/template for that page, all you have to do
is append your desired string to the path for the parent process, and
you can use a special character if you really want to make a clear
distinction between the file/process permission and a virtual
permission, i.e. admin/member/index/edit/$preferences to determine if
the current user can change someone else's preferences.
Since all the data to drive this authentication model is stored in the
application (roles and permissions) or session (member data) scope you
don't have to worry about extra database traffic on each request.
s. isaac dealey 954.522.6080
new epoch : isn't it time for a change?
add features without fixtures with
the onTap open source framework
http://www.fusiontap.com
http://coldfusion.sys-con.com/author/4806Dealey.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217325
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
