[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: UU: keeping track of user and his access
Actually it should be derived from HttpServletRequestWrapper
(see
http://www.total-knowledge.com/~cppserv/docs/html/classservlet_1_1HttpServletRequestWrapper.html)
Flow would be:
UuServlet::Service(HttpServletRequest& req, HttpServletResponse& resp)
{
Check Access
if (access denied and no user lgged in)
{
redirect to login page
return
}
UuRequest uuReq(req);
UuResponse uuResp(resp);
try
{
this->service(uuReq, uuResp);
}
catch(UuAccessException& e)
{
forward to access exception page
}
}
Alexey Parshin wrote:
> Ok, this sounds good. I understand that UuRequest should be derived from
> HttpServletRequest. However, it isn't clear to me - where/how UuRequest
> should be created/released.
>
> 2008/11/10 Alexey Parshin <alexeyp@gmail.com>
>
>
>> I will think about it.
>>
>> 2008/11/10 Ilya A. Volynets-Evenbakh <ilya@total-knowledge.com>
>>
>> BTW, another good candidate for inclusion in UuRequest class,
>>
>>> is database connection acquisition functionality. If we use UuRequest,
>>> we don't need the CAutoConnection, especially if we need to pass it
>>> around to different functions (I presume that if we need db info, we'll
>>> need the request object as well anyways).
>>>
>>> Thus, I'm thinking something like
>>> CConnection* UuRequest::getDb()
>>> {
>>> if(!m_db)
>>> m_db = ....
>>> return m_db;
>>> }
>>>
>>> And then UuRequest::~UuRequest can release the connection back to the
>>> pool ...
>>>
>>> Ilya.
>>>
>>> Ilya A. Volynets-Evenbakh wrote:
>>>
>>>> There is an important thing I want to change in the way
>>>> libui is organized. Right now every page has to check
>>>> for login info explicitly. Then each page does something
>>>> own (usually just gives an error message).
>>>>
>>>> What I think should happen in case of access error, is
>>>> redirect to the login page, followed by redirect back to
>>>> the source page, after login is done. This is in case user
>>>> wasn't logged in at all. If, however, user was logged in,
>>>> but doesn't have access to the relevant action on an object,
>>>> he should get a message which describes ways to get a hold
>>>> of such access. For example, if someone tries to edit a topic,
>>>> which he/she doesn't own, a message with contact info of
>>>> owners should be displayed.
>>>>
>>>> The first part can be achieved as follows:
>>>> 1. We implement UuServlet::service function, which will _never_
>>>> be overridden by derived classes.
>>>> 2. UuServlet::service() first retrieves user info
>>>> 3. There is abstract virtual bool UuServlet::access(User*)=0; function
>>>> 4. UuServlet::service calls access(User*) function (NULL means
>>>> no login info available)
>>>> 5. If access returns false, we save current page in session attribute
>>>> and redirect to the login page
>>>> 6. If access() returns true, we call UuServlet::service(UuRequest&,
>>>> UuResponse&)
>>>> (UuRequest and UuResponse classes are derived from
>>>> Http{Request,Response}Wrapper
>>>> classes, and add ways to access User object of the session, if
>>>> present, along
>>>> with some other request-specific info, which we might find useful.)
>>>> Obviously,
>>>> this service function is abstract as well.
>>>>
>>>> We might be able to satisfy second requirement, by wrapping whole
>>>> access() and service() calls into a try/catch block, and providing
>>>> special UuAccessException, which can be thrown by either of these
>>>> functions, in case current user doesn't have enough access for current
>>>> action on current object. In the handler block for the exception we
>>>>
>>> could
>>>
>>>> forward to a special CSP.
>>>>
>>>>
>>>> Ilya.
>>>>
>>>>
>>>>
>>>>
>>>
>> --
>> Alexey Parshin,
>> http://www.sptk.net
>>
>>
>
>
>
>