In your case, you can make administrator is a 'user' itself so that /EditAccount.do works for both roles. However, I strongly suspect your action/view you have to do lots of if else block to determine what to do and what to display.
Encapsulation is the key here, I would provide 2 separate actions, one for the normal current login user and one for administrator to edit any user account. -Dan ----- Original Message ----- From: "Dan Allen" <[EMAIL PROTECTED]> To: "Struts-User List" <[EMAIL PROTECTED]> Sent: Sunday, March 23, 2003 11:03 AM Subject: case study with security > There have been several discussions on this list about how security > should be loosely coupled with the ActionServlet itself (a filter on > top of the application), but I am curious to know the best > practicing for handling the following type of case. > > Assume I have an action with a path of /EditAccount. Naturally if a > user is not logged in, this path should be protected via filtering. > However, /EditAccount has two purposes, one for the regular user to > edit his/her own account, but also for the administrator to edit any > user account via the query string ?user=username. In this case, I > have to check in the action class if the user is allowed to take on > the role of another user in which case the form is populated with > that user's data or, if not, the form should populate with the > user's own data. > > Is this something that is reasonable to do in the action, or should > I create another action path /EditUserAccount?user=username and > filter that to only admins and then forward to the /EditAccount once > the proper credientials have been established, hence relieving the > action behind /EditAccount from looking at any roles? > > Dan > > -- > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Daniel Allen, <[EMAIL PROTECTED]> > http://www.mojavelinux.com/ > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > "If you are going to play the game of trial and error, > don't be surprised when the results are revealing. -- me" > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
