Ilya A. Volynets-Evenbakh wrote:
> There is an important thing I want to change in the way
> libui is organized. Right now every page has to check
> for login info explicitly. Then each page does something
> own (usually just gives an error message).
>
> What I think should happen in case of access error, is
> redirect to the login page, followed by redirect back to
> the source page, after login is done. This is in case user
> wasn't logged in at all. If, however, user was logged in,
> but doesn't have access to the relevant action on an object,
> he should get a message which describes ways to get a hold
> of such access. For example, if someone tries to edit a topic,
> which he/she doesn't own, a message with contact info of
> owners should be displayed.
>
> The first part can be achieved as follows:
> 1. We implement UuServlet::service function, which will _never_
> be overridden by derived classes.
> 2. UuServlet::service() first retrieves user info
> 3. There is abstract virtual bool UuServlet::access(User*)=0; function
> 4. UuServlet::service calls access(User*) function (NULL means
> no login info available)
> 5. If access returns false, we save current page in session attribute
> and redirect to the login page
> 6. If access() returns true, we call UuServlet::service(UuRequest&,
> UuResponse&)
> (UuRequest and UuResponse classes are derived from
> Http{Request,Response}Wrapper
> classes, and add ways to access User object of the session, if
> present, along
> with some other request-specific info, which we might find useful.)
> Obviously,
> this service function is abstract as well.
>
> We might be able to satisfy second requirement, by wrapping whole
> access() and service() calls into a try/catch block, and providing
> special UuAccessException, which can be thrown by either of these
> functions, in case current user doesn't have enough access for current
> action on current object. In the handler block for the exception we could
> forward to a special CSP.
>
>
> Ilya.
>
>
>