Re: UU: keeping track of user and his access

["Alexey Parshin" <alexeyp@gmail.com>]

2008/11/10 Ilya A. Volynets-Evenbakh <ilya@total-knowledge.com>

>  I do plan re-organising of login functions
> this week, however.
>
> Access to the object is a totally different matter. Incorrect object
> modification request would throw the exception - and this generates an error
> message.

Correct. Mostly. Right now, for example, navigating to UMOEditServlet,
while not being logged in, displays edit form, along with the message, which
is not acceptable - it'll confuse 60% of users. They should get a
standardized
error page with a relevant info instead.

That is only because nether login check nor controls check is implemented yet.

>  Also, since any object manipulations are performed with controls,
> we can always limit the controls when generate a page. For instance, the
> 'Edit' button isn't shown or disabled if user can't edit the object.
>

You realize that this isn't real control, and will also mess up any
automated
web site testing procedures (or at least will make doing them right much
more
difficult). I'm not saying this is bad idea - in fact opposite. But it
isn't real solution
to the problem.

Yes, it is :) We don't have to block object modifications this way. Blocking object modifications is implemented on the database level. We just have to avoid user confusion, so hiding, for instance, 'Edit' button would do. And, if someone is stubborn enough to try navigation by typing Servlet names and GET parameters w/o a correct password - he/she deserves a confusion.
 

Generally, we're discussing the state of system at the moment when only one page (Home) is more or less implemented (security-wise). I've just started the process of adding this code two-three days ago.

-- 
Alexey Parshin,
http://www.sptk.net