In my world this distinction is often referred to as "data rights" vs. "function rights".
Function rights can indeed be handled by restricting access to pages and components with annotations and sometimes a bit of conditional logic in the template. It's up to you whether you check function rights in the business tier too. Data rights however are tricky. You have to check every request and be very careful what's in every response, particularly list responses. However, in my experience the range of checks needed to determine whether a user has the data rights for a given request is usually very small. Eg. you get the user from the session and decide: - Does the thing being requested belong to them? - Or more usually, are they in the department that owns what's being requested? - Can the user update things in their department or only read them? In the web tier you could create a Tapestry service, say DataRightsChecker, inject it when it's needed, and have a method for each of the likely checks. In most web requests you'll probably find that you need to call only one or two methods and you're done. The service can return a really nasty error if it fails - there's no need to be nice because the user should not be in that situation unless they've hacked the URL. Ensure that normal site behaviour never takes them into a situation where they lack the function or data rights. Again, it's up to you whether you check data rights in the business tier too. It's also up to you whether you go the whole hog and set up data rights in the database itself. On 15 March 2014 21:36, Boris Horvat <horvat.z.bo...@gmail.com> wrote: > I could be missing something, but isn't this a database question? how to > model your tables and relationships between them? > > I dont see this as being tapestry related question to be honest > > > On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein <mailingl...@j-b-s.de > >wrote: > > > Hi Ken! > > > > this sounds more like a "persistence" question, to be honest. How do you > > store / persist the user data? > > > > > > Jens > > > > > > Am 15.03.14 06:44, schrieb Ken in Nashua: > > > >> Hi Folks, > >> > >> I want to create a web site data model whereby... whatever a user > >> creates... they own. > >> > >> And when they come back to the website to operate again... they will see > >> only what they own. > >> > >> Its not as much as page based security as it is object based security... > >> as in model object. > >> > >> Are there annotations available or mechanisms within tapestry-security > to > >> perform this in one hit so I can just put it at the top of my class (an > >> annotation) or page and operate only on what the owner created ? > >> > >> Thanks > >> > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > > For additional commands, e-mail: users-h...@tapestry.apache.org > > > > > > > -- > Sincerely > *Boris Horvat* >
