I would like to hear about this too, mainly just to have examples.
Regarding security and CCV's, here's what I do if all my efforts fail to
keep a person from accessing a page they shouldn't (e.g. if they use a link
in the browser history):
check the security level in the prefuseaction phase, which allows me to run
a different (i.e. default) fuseaction if user does not have permissions. In
doing so, I set a CCV:
<cfset content.UserMessage = "You must login to view the requested page
- thanks.">
Then this content variable gets displayed at the top of whatever page. I
can use this area for non-critical messages too. This might be awfully
simplistic for what you were asking tho. The point is, they don't get a
giant error message or a "GO BACK". They are automatically redirected and
the message is there at the top in case they're wondering why. I format my
user messages like Gmail's user messages - hey give the users something
they might expect....
Mark
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> My approach is different. I believe that the user should
> never see an access security message. Users should only be
> able to view/invoke processes for which they have permission.
> Menu items, submit buttons, modification forms or fields
> which need to be protected should be done so by the system.
> If there are security related functions access level should
> determine whether they are available.
>
> It is appropriate to disable an option but the user should
> not get a message that says "Hey dork, you can't do that."
>
> If a user has not logged in or has timed out just re-direct
> them to the appropriate login form (with a possible re-direct
> back to the desired function).
I agree with you and had I been the one to architect the application I am
working on the approach would have been MUCH different. However, I am
making
some changes to a pre-existing application where the budget does not allow
for me to make major changes.... I will use one of the alternate approaches
I have been toying with.
This does raise a larger question though... if you throw exceptions or
exceptions are thrown what is the best way to catch them, assuming you want
to notify the user of the exception. Outside of fusebox this is easy for me
to do, but once inside MVC Fusebox using CCVs for assembling layouts and
content it becomes tricky... at least using a plugin to direct traffic so
to
speak. I would definitely like to hear how others approach this within the
confines of MVC Fusebox / CCVs.
Mike
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Find out how CFTicket can increase your company's customer support
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49
Message: http://www.houseoffusion.com/lists.cfm/link=i:12:6658
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/12
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:12
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.12
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
