> -----Oorspronkelijk bericht----- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Namens Veikko Mäkinen > Verzonden: woensdag 4 juli 2007 10:03 > Aan: Agavi Users Mailing List > Onderwerp: Re: [Agavi-Users] Handling errors > > Van Daele, Koen wrote: > > That's something I was thinking about a while back. Wouldn't it be > > nice to have a default method for that like the validate() methods > > (where you have different levels of control: validate.xml, > > registerValidators() and the validate() method). Every once > in a while > > I see people ask something similar (basically check if the user has > > the edit credential for a certain record. You do indeed need a > > checkPermissions() or similar method for that. I think it might be > > usefull as a default feature of the security system. If it > exists for > > validation I think it can exist for security too. > > > > Koen > > > >> -----Oorspronkelijk bericht----- Van: > [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] Namens David Zülke > >> Verzonden: dinsdag 3 juli 2007 15:23 Aan: Agavi Users Mailing List > >> Onderwerp: Re: [Agavi-Users] Handling errors > >> > >> That's security. I can see how the vanilla security system cannot > >> handle this; I recommend extending SecurityFilter so it calls a > >> checkPermissions() method or something on the action. > >> > >> > >> HTH, > >> > >> David > >> > >> > >> > >> Am 03.07.2007 um 14:51 schrieb Shoan Motwani: > >> > >>> We have a similar situation in our project. We need to validate > >>> whether the logged in user can edit/delete a record. I am > thinking > >>> that a callback in the routing containing the id of the record ( > >>> www.example.org/edit/123) would be the best place to > >> validate whether > >>> the user can actually mess with the record. > >>> > >>> Is there a better way? > >>> > > You can also do this by extending AgaviRbacSecurityUser and, > in your overriding loadDefinitions, load user's credentials > to edit/delete records (for example store all record ids the > user can edit as 'record.edit.[id]' credentials. > > Then: > > //PageModifyAction::getCredentials() > > //admin group can modify all pages > $cred = array('admin.page.modify'); > > if ($page->getWriteAccessRoleId() !== null) { > // page.write.[id] is given to the user in > MyRbacUser::loadDefitions > // if the user's group has modify access to the page > $cred[] = 'page.write.' . $page->getId(); } > > return array($cred); > > > > -veikko > > P.S. Top posting makes it harder to follow these threads and > at least every one could clean up the reply before sending > (footers and such) >
I can see this working as long as the number of records is rather small, but in the case where I might need to implement this I'm talking about some 50.000-100.000 records where one user might have 'record.edit.[id]' for some 10.000-20.000 records, so loading all that data as rbac permissions seems a bit much. Koen _______________________________________________ users mailing list [email protected] http://lists.agavi.org/mailman/listinfo/users
