Managing users' permissions through the sitemap
Hi everybody, I have a problem, maybe simple, but I don't know how to deal with. I'm sure some of you have enough skills an experience to help me :) In my database, I've got a table managing the users' permissions. There's a global menu (for all the users). To know if an user is allowed to open a link from this menu, I need the user identifier (given by a session attribute) and an other identifier (like a request parameter which comes along with the link for example) Then, I want to check in my DB and : - if it's ok, open the link - if not, diplay an error message I guess I need to manage this on the sitemap level but I don't know what to use. Currently, I'm using an Authentication action which allows an logged user to access to the whole site but, as you can see, I want to be more restrictive for some sections of the site. Any idea would be welcome, thx in advance ! Amelie
Re: Managing users' permissions through the sitemap
Hi Amelie, I do a similar thing, and I use an XSP with some scripting in it. Here's the XSP It's not through the sitemap, but maybe this helps you. Yves ?xml version=1.0 encoding=ISO-8859-1? xsp:page language=java xmlns:xsp=http://apache.org/xsp; xmlns:esql=http://apache.org/cocoon/SQL/v2; xmlns:xsp-request=http://apache.org/xsp/request/2.0; xmlns:xsp-session=http://apache.org/xsp/session/2.0; create-session=true html esql:connection esql:poolpierrefabre/esql:pool esql:execute-query esql:query select * from tblLogin where name = 'xsp-request:get-parameter name=username/' and password = 'xsp-request:get-parameter name=password/' ; /esql:query esql:results xsp-session:set-attribute name=useradmin/xsp-session:set-attribute body onload=window.location = './../frames.html'/body /esql:results esql:no-results head link rel=stylesheet type=text/css href=./../css/pierrefabre.css/ titlePierre Fabre Médicament/title meta http-equiv=Content-Type content=text/html; charset=ISO-8859-1/ meta http-equiv=pragma content=no-cache/ /head body class=homepage onload=window.alert ('Username or password not correct') ; window.location = './../admin/password.html' /body /esql:no-results /esql:execute-query /esql:connection /html /xsp:page Hi everybody, I have a problem, maybe simple, but I don't know how to deal with. I'm sure some of you have enough skills an experience to help me :) In my database, I've got a table managing the users' permissions. There's a global menu (for all the users). To know if an user is allowed to open a link from this menu, I need the user identifier (given by a session attribute) and an other identifier (like a request parameter which comes along with the link for example) Then, I want to check in my DB and : - if it's ok, open the link - if not, diplay an error message I guess I need to manage this on the sitemap level but I don't know what to use. Currently, I'm using an Authentication action which allows an logged user to access to the whole site but, as you can see, I want to be more restrictive for some sections of the site. Any idea would be welcome, thx in advance ! Amelie -- Met vriendelijke groeten, Kind regards, Bien à vous, Yves Vindevogel Implements Kempische Steenweg 206 -- 3500 Hasselt -- Belgium Phone/Fax: +32 (11) 43.55.76 -- Mobile: +32 (478) 80.82.91 Mail: [EMAIL PROTECTED] -- www.implements.be Quote: The winner never says participating is more important than winning. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Managing users' permissions through the sitemap
hi amelie (always reminds me of that wonderful movie ;-), since I've not yet looked into/used the authentication framework, my first thought would be another authorization action. you supply the action with the respective parameters or let the action grab it from the session, etc. from within your action you check if the user is authorized. in case of non authorized access you return null, otherwise you return a map (empty or containing some sitemap parameters you want to set). then within the pipeline the delivery of the protected content goes into the action block (since what's here only gets executed if the action returned something not null). the pipeline steps for unauthorized access would follow the action block. example: ... map:match pattern=protected/**.xml map:act type=my-custom-auth-action map:parameter name=resource value={0}/!-- {0} - e.g. protected/foo.xml -- !-- execute following if action succeeded (returned non-null) -- map:generate src=protected-stuff/{../1}.xml/ ... map:serialize type=html/ /map:act !-- execute following if action didn't succeed (returned null) -- map:read mime-type=text/html src=unauthorized.html/ /map:match ... just an example off of the top of my head. regarding the term 'open the link'. just to prevent a misunderstanding; when the user clicks a link, this triggers a request which is to be handled (in this case by the sitemap). thus, you handle the request, but maybe differently depending on context (authorization in this case). so you either deliver a respective response to the request (as in the example above; authorized - deliver protected content, unauthorized - deliver error page), or you prevent the user from being able to click the link in the first place. for this you'd have to do the authorization earlier and adapt the response correspondingly. HTH -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Amelie Cordier Gesendet: Montag, 31. Marz 2003 22:36 An: [EMAIL PROTECTED] Betreff: Managing users' permissions through the sitemap Hi everybody, I have a problem, maybe simple, but I don't know how to deal with. I'm sure some of you have enough skills an experience to help me :) In my database, I've got a table managing the users' permissions. There's a global menu (for all the users). To know if an user is allowed to open a link from this menu, I need the user identifier (given by a session attribute) and an other identifier (like a request parameter which comes along with the link for example) Then, I want to check in my DB and : - if it's ok, open the link - if not, diplay an error message I guess I need to manage this on the sitemap level but I don't know what to use. Currently, I'm using an Authentication action which allows an logged user to access to the whole site but, as you can see, I want to be more restrictive for some sections of the site. Any idea would be welcome, thx in advance ! Amelie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]