Re: [Agavi-Users] Handling errors

Wed, 04 Jul 2007 01:03:34 -0700 

Van Daele, Koen wrote:
> That's something I was thinking about a while back. Wouldn't it be
> nice to have a default method for that like the validate() methods
> (where you have different levels of control: validate.xml,
> registerValidators() and the validate() method). Every once in a
> while I see people ask something similar (basically check if the user
> has the edit credential for a certain record. You do indeed need a
> checkPermissions() or similar method for that. I think it might be
> usefull as a default feature of the security system. If it exists for
> validation I think it can exist for security too.
> 
> Koen
> 
>> -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED]
>>  [mailto:[EMAIL PROTECTED] Namens David Zülke 
>> Verzonden: dinsdag 3 juli 2007 15:23 Aan: Agavi Users Mailing List 
>> Onderwerp: Re: [Agavi-Users] Handling errors
>> 
>> That's security. I can see how the vanilla security system cannot
>> handle this; I recommend extending SecurityFilter so it calls a 
>> checkPermissions() method or something on the action.
>> 
>> 
>> HTH,
>> 
>> David
>> 
>> 
>> 
>> Am 03.07.2007 um 14:51 schrieb Shoan Motwani:
>> 
>>> We have a similar situation in our project. We need to validate 
>>> whether the logged in user can edit/delete a record. I am
>>> thinking that a callback in the routing containing the id of the
>>> record ( www.example.org/edit/123) would be the best place to
>> validate whether
>>> the user can actually mess with the record.
>>> 
>>> Is there a better way?
>>> 

You can also do this by extending AgaviRbacSecurityUser and, in your
overriding loadDefinitions, load user's credentials to edit/delete
records (for example store all record ids the user can edit as
'record.edit.[id]' credentials.

Then:

//PageModifyAction::getCredentials()

//admin group can modify all pages
$cred = array('admin.page.modify');

if ($page->getWriteAccessRoleId() !== null) {
   // page.write.[id] is given to the user in MyRbacUser::loadDefitions
   // if the user's group has modify access to the page
   $cred[] = 'page.write.' . $page->getId();
}

return array($cred);



-veikko

P.S. Top posting makes it harder to follow these threads and at least
every one could clean up the reply before sending (footers and such)













_______________________________________________
users mailing list
[email protected]
http://lists.agavi.org/mailman/listinfo/users

Reply via email to