on 12/26/99 7:40 PM, Dave <[EMAIL PROTECTED]> wrote:
> Currently though, the only way to
> absolutely keep someone out of the admin screens and actions is to put a
> "security check" into each screen and action. Although this works, it seems
> kinda of redundant. The only other way around this (that I currently see)
> would be to create an admin "page". Is this something we would want to do?
Yes, this is an issue that I have been trying to think about for some time
now.
There are two major things to think about:
#1. Screen level access. For instance, does this user have access to see
this screen.
#2. Content level access. For instance, does this user have access to see or
modify this content?
To solve #1, I think that there are a few ways to go about it. The first way
would be to create a "base" screen that other Screens extend. In the base
screen, you set the level of permission that a user has. If the user does
not have the necessary permission levels, then reject the user to a defined
"safe" screen.
The second way would be to define interfaces that the Screen implements.
Then, by using instance of, a "SecurityCheck" screen could filter requests
depending on the user access level and requested screen.
A third way to do it is to do as you suggest and do the access checking at
the top of the screen and copy/paste code.
A fourth way to do it is to extend the Screen interface. When the Page
module asks a Screen for its layout, there could be a check for permissions
there as well.
All of these solutions are valid...I think that it just depends on what your
goals are for the particular application. It is nice the Turbine doesn't
inhibit you here. ;-)
To solve #2, I don't think that there is a perfect solution since it is very
application specific.
-jon
--
Come to the first official Apache Software Foundation
Conference! <http://ApacheCon.Com/>
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
