Dave Newton skrev:
Morten Andersen wrote:
Now if I can determine whether the user has logged in. How can I use
the request parameters to determine the users role on specific pages?
I know that I can invent my own control, it just seems like something
many others would need. Any tools available?
I still don't get this: why would you want request parameters to have
anything to do with determining security/access levels? That seems
really dangerous.
Here's an example:
The user: "Peter" may edit the page "Home". On all other pages he just
sees the page but on "Home" an extra button is added: "Edit this page".
Then when Peter presses that button he is brought to the editing page.
There he can edit the page but only if his role is really "editor" on
that page.
Not all users may use an action on all pages.
I use Realm to figure out whether the user has logged in by putting the
action that brings the user to the editing page under security
restriction, but it just doesn't handle the handle the finer-grained
access control where I can match a page and a user to check the users
role on that specific page.
Why is this dangerous?
How can I avoid these dangers?
Morten
Are you talking about adding request _attributes_ to determine view issues?
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
