Hi Jesse Thanks, thought there had to be some reason. Will take a look and see how to implement this.
Thanks Venkat -----Original Message----- From: Ciancetta, Jesse E. [mailto:[email protected]] Sent: Friday, October 21, 2011 6:01 AM To: [email protected] Subject: RE: RegionWidgetPreference Model Question Hi Venkat, When we first started putting all the models in place we tried to limit bidirectional relationships with the thinking that it would be easier for others who wanted to implement their own repository layer using something other than JPA with a RDBMS on the backend. However I think we ran into a number of cases where that really just didn't make sense to enforce which is why you see a mix of unidirectional and bidirectional JPA relationships in the codebase. I'd say if it makes the security code easier to work with then it would be fine to add the relationship back up to RegionWidget. Keep in mind however that we really probably don't want to trust the caller when doing the security checks -- so in other words even if you can get the RegionWidget from the RegionWidgetPreference passed into the service layer you probably don't want to just pull the user from that RegionWidget to check to be sure it is the same as the current authenticated user -- because if we do -- and if the RegionWidget instance that you get was created with values from something like a web form -- it may not be able to be trusted since someone could have put any values into the web form that they wanted. I know in this case that wouldn't be likely -- if you changed RegionWidgetPreference to have a relationship back up to RegionWidget then you'd probably change the rest service RegionWidgetApi to fetch the RegionWidget and populate it in the RegionWidgetPreference before trying to save it -- but the RegionWidgetService shouldn't make any assumptions about who called it and/or how the model objects it was passed were constructed. --Jesse >-----Original Message----- >From: Mahadevan, Venkat [mailto:[email protected]] >Sent: Thursday, October 20, 2011 4:07 PM >To: [email protected] >Subject: RegionWidgetPreference Model Question > >Hi > >I am working on the Security related task or models (RAVE-308) and >specifically looking at the RegionWidgetPreference model. Should there be a >reference to RegionWidget object instead of the regionWidgetId in this >model? > >This would be similar to the approach that we currently have on the Page >model where-in it refers the User object and not the userId. > > >-Venkat
