[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
UU: keeping track of user and his access
There is an important thing I want to change in the way
libui is organized. Right now every page has to check
for login info explicitly. Then each page does something
own (usually just gives an error message).
What I think should happen in case of access error, is
redirect to the login page, followed by redirect back to
the source page, after login is done. This is in case user
wasn't logged in at all. If, however, user was logged in,
but doesn't have access to the relevant action on an object,
he should get a message which describes ways to get a hold
of such access. For example, if someone tries to edit a topic,
which he/she doesn't own, a message with contact info of
owners should be displayed.
The first part can be achieved as follows:
1. We implement UuServlet::service function, which will _never_
be overridden by derived classes.
2. UuServlet::service() first retrieves user info
3. There is abstract virtual bool UuServlet::access(User*)=0; function
4. UuServlet::service calls access(User*) function (NULL means
no login info available)
5. If access returns false, we save current page in session attribute
and redirect to the login page
6. If access() returns true, we call UuServlet::service(UuRequest&,
UuResponse&)
(UuRequest and UuResponse classes are derived from
Http{Request,Response}Wrapper
classes, and add ways to access User object of the session, if
present, along
with some other request-specific info, which we might find useful.)
Obviously,
this service function is abstract as well.
We might be able to satisfy second requirement, by wrapping whole
access() and service() calls into a try/catch block, and providing
special UuAccessException, which can be thrown by either of these
functions, in case current user doesn't have enough access for current
action on current object. In the handler block for the exception we could
forward to a special CSP.
Ilya.