But if the user is in the session, then we know that when he submits a request, or at least when that browser submits a request it is the user who is in the session. You could store roles for the user in the session also and then just use the session.. if the role is not present populate it from the DB and use the session thereafter.
Al -----Original Message----- From: Yan Hu [mailto:[EMAIL PROTECTED] Sent: Monday, April 18, 2005 8:46 PM To: Struts Users Mailing List; Daniel Watrous Subject: Identify users Hi: I have a question. I need to check if a user is the one who has permission to a certain action. His role is stored in the database, for example user.isStudent. The whole student object is stored in the session after he logs in successfully . From that point on, every time he sends a request that invokes an action , I need to verify if this student is who he claims he is. I could include a hidden field for example, his email in every page I send back to him and get this property back to verify who he is. I was wondering if this approach is problematic since he could manipulate the hidden field. Any better solutions to that? Thanks a lot! --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
