Managing users' permissions through the sitemap
Hi everybody, I have a problem, maybe simple, but I don't know how to deal with. I'm sure some of you have enough skills an experience to help me :) In my database, I've got a table managing the users' permissions. There's a global menu (for all the users). To know if an user is allowed to open a link from this menu, I need the user identifier (given by a session attribute) and an other identifier (like a request parameter which comes along with the link for example) Then, I want to check in my DB and : - if it's ok, open the link - if not, diplay an error message I guess I need to manage this on the sitemap level but I don't know what to use. Currently, I'm using an Authentication action which allows an logged user to access to the whole site but, as you can see, I want to be more restrictive for some sections of the site. Any idea would be welcome, thx in advance ! Amelie
Re: Managing users' permissions through the sitemap
Hi Amelie,
I do a similar thing, and I use an XSP with some scripting in it.
Here's the XSP
It's not through the sitemap, but maybe this helps you.
Yves
?xml version=1.0 encoding=ISO-8859-1?
xsp:page language=java
xmlns:xsp=http://apache.org/xsp;
xmlns:esql=http://apache.org/cocoon/SQL/v2;
xmlns:xsp-request=http://apache.org/xsp/request/2.0;
xmlns:xsp-session=http://apache.org/xsp/session/2.0;
create-session=true
html
esql:connection
esql:poolpierrefabre/esql:pool
esql:execute-query
esql:query
select * from tblLogin
where name = 'xsp-request:get-parameter
name=username/'
and password = 'xsp-request:get-parameter
name=password/' ;
/esql:query
esql:results
xsp-session:set-attribute
name=useradmin/xsp-session:set-attribute
body onload=window.location = './../frames.html'/body
/esql:results
esql:no-results
head
link rel=stylesheet type=text/css
href=./../css/pierrefabre.css/
titlePierre Fabre Médicament/title
meta http-equiv=Content-Type
content=text/html; charset=ISO-8859-1/
meta http-equiv=pragma content=no-cache/
/head
body class=homepage onload=window.alert ('Username
or password not
correct') ; window.location = './../admin/password.html'
/body
/esql:no-results
/esql:execute-query
/esql:connection
/html
/xsp:page
Hi everybody,
I have a problem, maybe simple, but I don't know how to deal with.
I'm sure some of you have enough skills an experience to help me :)
In my database, I've got a table managing the users' permissions.
There's a global menu (for all the users).
To know if an user is allowed to open a link from this menu, I need the
user identifier (given by a session attribute) and an other identifier
(like a request parameter which comes along with the link for example)
Then, I want to check in my DB and :
- if it's ok, open the link
- if not, diplay an error message
I guess I need to manage this on the sitemap level but I don't know what
to use.
Currently, I'm using an Authentication action which allows an logged user
to access to the whole site but, as you can see, I want to be more
restrictive for some sections of the site.
Any idea would be welcome, thx in advance !
Amelie
--
Met vriendelijke groeten,
Kind regards,
Bien à vous,
Yves Vindevogel
Implements
Kempische Steenweg 206 -- 3500 Hasselt -- Belgium
Phone/Fax: +32 (11) 43.55.76 -- Mobile: +32 (478) 80.82.91
Mail: [EMAIL PROTECTED] -- www.implements.be
Quote: The winner never says participating is more important than winning.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
AW: Managing users' permissions through the sitemap
hi amelie (always reminds me of that wonderful movie ;-),
since I've not yet looked into/used the authentication framework, my first
thought would be another authorization action.
you supply the action with the respective parameters or let the action grab
it from the session, etc. from within your action you check if the user is
authorized. in case of non authorized access you return null, otherwise you
return a map (empty or containing some sitemap parameters you want to set).
then within the pipeline the delivery of the protected content goes into the
action block (since what's here only gets executed if the action returned
something not null). the pipeline steps for unauthorized access would follow
the action block.
example:
...
map:match pattern=protected/**.xml
map:act type=my-custom-auth-action
map:parameter name=resource value={0}/!-- {0} - e.g.
protected/foo.xml --
!-- execute following if action succeeded (returned non-null) --
map:generate src=protected-stuff/{../1}.xml/
...
map:serialize type=html/
/map:act
!-- execute following if action didn't succeed (returned null) --
map:read mime-type=text/html src=unauthorized.html/
/map:match
...
just an example off of the top of my head.
regarding the term 'open the link'. just to prevent a misunderstanding; when
the user clicks a link, this triggers a request which is to be handled (in
this case by the sitemap). thus, you handle the request, but maybe
differently depending on context (authorization in this case). so you either
deliver a respective response to the request (as in the example above;
authorized - deliver protected content, unauthorized - deliver error
page), or you prevent the user from being able to click the link in the
first place. for this you'd have to do the authorization earlier and adapt
the response correspondingly.
HTH
-Ursprungliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Auftrag von Amelie Cordier
Gesendet: Montag, 31. Marz 2003 22:36
An: [EMAIL PROTECTED]
Betreff: Managing users' permissions through the sitemap
Hi everybody,
I have a problem, maybe simple, but I don't know how to deal with.
I'm sure some of you have enough skills an experience to help me :)
In my database, I've got a table managing the users' permissions.
There's a global menu (for all the users).
To know if an user is allowed to open a link from this menu, I need the
user identifier (given by a session attribute) and an other identifier
(like a request parameter which comes along with the link for example)
Then, I want to check in my DB and :
- if it's ok, open the link
- if not, diplay an error message
I guess I need to manage this on the sitemap level but I don't know what
to use.
Currently, I'm using an Authentication action which allows an logged user
to access to the whole site but, as you can see, I want to be more
restrictive for some sections of the site.
Any idea would be welcome, thx in advance !
Amelie
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
