struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amol Ghotankar <ghotankaru...@gmail.com>
Subject Re: Authorization Best Practices
Date Thu, 08 Jul 2010 03:48:40 GMT
Dear List Members,

Lot of theory put here now lets talk with example.

Lets assume there are three roles a user can have

1. user
2. manager
3, admin

Lets assume a simple CRUD use case which has four actions

1. insert
2. update
3. delete
4. list

Now

A. Part 1.

1. users loged in with user & manager role can access all actions except
delete.

B. Part 2

1. users logged in with role user can
-insert any record but
-update only records which he has inserted before
-and also list records which he has inserted.

2. users logged in with role manage can
- insert any record and
- update any record enter by him and users under his department
- list all records inserted by him and users under his department

3. users logged in with role admin can
- insert any record and
- update only his records not other users
- list all records by him and other users
- delete any record by him and other users

Now I think the discussion will be more focus and we can discuss what
practises can be followed to implement this logic using struts2 and related
framework.

Regards,

Amol Ghotankar.




On Thu, Jul 8, 2010 at 2:12 AM, Dale Newfield <dale@newfield.org> wrote:

> On 7/7/10 2:26 PM, Amol Ghotankar wrote:
>
>> Part 2 . How to control access of  data from back end database based on
>> action/user-role.
>>
>> i.e how much data should be returned through called action, 10 rows, 100
>> rows or 1000 rows from database,  based on user role and/or called action.
>>
>
> Whether data should be accessible and how much data should be accessible
> sound like orthogonal questions to me.  Whether is a business logic or dao
> question.  How much is just a parameter passed to business logic and/or dao,
> but is really more a question that the web layer should determine, no?
>
>
> -Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


--

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message