I've been doing some thinking on how one could provide an easy to
use and common way of doing security checks/proper
authorization in Turbine. The ACL stuff in Turbine is AWESOME! What I've been
thinking about is a way that would prevent a programmer from having to code security
logic throughout the actions and screens.
Here's my thought. Please feel free to beat me up!
What if we added a SecurityLoader module and a Security class.
The SecurityLoader would operate on Security classes (just like ActionLoader on an
Action). But would have an exec method with 3 parameters: eval(RunData data , String
name, Object requiredrights). The Object parameter could be a specific role or
permissions ("add_user"). Or you could pass an array of permissions for the Security
class to evaluate. Then the programmer could create the Security classes specific to
the application. For example:
public class CanEdit extends Security
{
public boolean doCheck(RunData data, Object requiredrights)
{
//something like this
String perm = (String)requiredrights;
if ( data.acl.hasPermission(perm)
//do something here
}
}
Then throughout your actions and screens you could do this -
if ( SecurityLoader.getInstance().eval ( data, "CanEdit", reqiredPermission ) )
//do something
The idea being that on a site with various complicated security levels, this would
provide a common way to "move" most of the security logic to a seperate class where
you can think about it more clearly.
Thoughts?
Dave
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
