Scott Eade wrote:
>
> Velocity question but I'm using tdk...
>
> In theory I can check if a user has a particular
> permission using a pull tool. The pull tool
> implements a method isAuthorizedGlobal()
> that takes a permission as a parameter.
>
> In a regular velocity screen I can do this:
>
> #if (!$mypull.isAuthorizedGlobal("some_perm"))
> $data.setRedirectURI($link.setAction("LogoutUser").getURI())
> $data.setStatusCode(302)
> #stop
> #end
>
> And thus the user is turned away if they get
> to this screen.
Not really sure if that's true :)
#stop causes a cessation of parsing, not of runtime evaluation.
>
> Rather than putting this block of code at the
> top of every page I would rather go:
>
> #checkAuthorizedGlobal("some_perm")
>
> and have this velocimacro:
>
> #macro (checkAuthorizedGlobal $permission)
> #if (!$mypull.isAuthorizedGlobal($permission))
> $data.setRedirectURI($link.setAction("LogoutUser").getURI())
> $data.setStatusCode(302)
> #stop
> #end
> #end
>
> With or without escaping the #stop velocity throws an
> exception while parsing the macro file:
[SNIP]
Yes - because the parser believes when it gets to #stop that the input
stream is ended - thus it throws an exception because structurally the
#if() is incomplete - it never sees the #end. So is the #macro, btw.
Note that you shouldn't be able to even parse
#if($foo)
#stop
#end
#stop is rather useless and we should remove it. :)
> If I totally remove the #stop it works, but the code
> following the call to #checkAuthorizedGlobal() is
> executed which is going to unnecessarily waste
> resources.
>
> Is there a better way for me to code the #stop in the
> macro file? Should I be able to code #stop in a
> macro anyway?
Don't use #stop - what you are trying to do is a permissioning and flow
control, and there are lots of ways around it using Velocity, in
general. (Not a Turbine user, so I can't help there.)
For example, having a master 'permission template', you can do something
like :
#if (!$mypull.isAuthorizedGlobal($permission))
$data.setRedirectURI($link.setAction("LogoutUser").getURI())
$data.setStatusCode(302)
#else
#parse( $streenbodytemplate )
#end
and always put the template name of the body as $screenbodytemplate, and
always make the above the invoked/chosen template, then all content goes
through the test
Another way might be to throw an exception from w/in the #macro() in
place fo the #stop. That should allow partial rendering. I have never
tried that, however, and would probably require modification to Turbine,
as you would want to catch that special Exception that indicates you are
just stopping rendering...
> I like the fact that this approach detaches the
> permission checking for the screen template from
> the screen classes, but I am cautious because it
> makes it so easy for someone with access to the
> templates to get around the security. What do
> you think about this approach?
>
This is a risk of the pull model, but can be mitigated with careful
design. And if you fear 'people with access', then the non-pull
approach is also risky, as someone with access to the code can also do
it. The thing to control is access to the production server :)
geir
--
Geir Magnusson Jr. [EMAIL PROTECTED]
System and Software Consulting
Developing for the web? See http://jakarta.apache.org/velocity/
You have a genius for suggesting things I've come a cropper with!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
