Hi Phillip,
Philip Barlow wrote:
I'm just wondering is there a general solution to the following example:
I pass a TeamId as a request parameter to a PersonAction to list all people
in a team with Person.TeamId=TeamId.
However I want to stop a logged in user being able to manually change the
Team Id and look up people they do not have permission to view.
Any pointers on this would be appreciated.
I've done something very similar in my current project where users
belong to specific companies and I don't want users from one company to
have access to another company's scope.
The general pattern I used was:
1. I added a Company attribute to the User entity. To do this I
needed to follow the AppFuse Core Classes tutorial:
http://www.appfuse.org/display/APF/AppFuse+Core+Classes
2. If you don't want to do anything fancy, it's simply a case then of
checking the the currently logged in user's Company attribute (or in
your case team attribute) to constrain anything they do accordingly.
3. In my case, I needed to allow the system administrator to browse
any Company's scope, so I store a Company entity in the Session and
allow the administrator to change this to a company other than his/her own.
It may be that with your app, a user can be a member of more than one
team - that shouldn't present any problem, you simply model a
many-to-many relationship - a bonus is that you'd probably get away
without modifying the User entity.
In my app, I created my own BaseAction that each of my Action classes
extends. I've put all my Company handling code in the BaseAction class
so I don't have to incorporate the code into each action.
HTH,
Rob Hills
Waikiki, Western Australia
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
