Hi, I have implemented and extended version of ApplicationUser class called MyApplicationUser to allow users to add more information to their 'profile' in my web-app. They self-enrol (via initial entry of an email address, then following a link in a email sent to that address [1] ) and then add more details once they've created a user account.
I now make use of the class MyApplicationUser more widely in the application but this leads to the problem that one user can modify the profile of another. Using the security module we can make all classes, instances of a class VIEWING or CHANGING. It must be the later to be able to change their own record, but generally it should be VIEWING only. Is there a way to achieve this. My alternative is to make use of the MyApplicationUser entity but to display its property values as a read-only view-model when necessary, that is, as a derived property. At the moment, I am having some problems with this approach in terms of displaying collections of MyApplicationUser as collections (of more view models) in the view-model class. I was creating my view-model as a wrapper around a persistent entity, it's worked in the past but not working in this case, with some strange effects, like "Failed title". So setting actual properties in the view-model class (rather than making all getters call a getter of the wrapped object) might be necessary to take full advantage of session caching of view model instances? I think using the view model approach might be the solution. Cheers Steve
