There's also http://tynamo.org/tapestry-security-jpa+guide that has annotations and works at the entity level - it's JPA only at the moment.
Kalle On Sat, Mar 15, 2014 at 5:22 AM, Geoff Callender < geoff.callender.jumpst...@gmail.com> wrote: > In my world this distinction is often referred to as "data rights" vs. > "function rights". > > Function rights can indeed be handled by restricting access to pages and > components with annotations and sometimes a bit of conditional logic in the > template. It's up to you whether you check function rights in the business > tier too. > > Data rights however are tricky. You have to check every request and be very > careful what's in every response, particularly list responses. However, in > my experience the range of checks needed to determine whether a user has > the data rights for a given request is usually very small. Eg. you get the > user from the session and decide: > > - Does the thing being requested belong to them? > - Or more usually, are they in the department that owns what's being > requested? > - Can the user update things in their department or only read them? > > In the web tier you could create a Tapestry service, say DataRightsChecker, > inject it when it's needed, and have a method for each of the likely > checks. In most web requests you'll probably find that you need to call > only one or two methods and you're done. The service can return a really > nasty error if it fails - there's no need to be nice because the user > should not be in that situation unless they've hacked the URL. Ensure that > normal site behaviour never takes them into a situation where they lack the > function or data rights. > > Again, it's up to you whether you check data rights in the business tier > too. It's also up to you whether you go the whole hog and set up data > rights in the database itself. > > > On 15 March 2014 21:36, Boris Horvat <horvat.z.bo...@gmail.com> wrote: > > > I could be missing something, but isn't this a database question? how to > > model your tables and relationships between them? > > > > I dont see this as being tapestry related question to be honest > > > > > > On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein < > mailingl...@j-b-s.de > > >wrote: > > > > > Hi Ken! > > > > > > this sounds more like a "persistence" question, to be honest. How do > you > > > store / persist the user data? > > > > > > > > > Jens > > > > > > > > > Am 15.03.14 06:44, schrieb Ken in Nashua: > > > > > >> Hi Folks, > > >> > > >> I want to create a web site data model whereby... whatever a user > > >> creates... they own. > > >> > > >> And when they come back to the website to operate again... they will > see > > >> only what they own. > > >> > > >> Its not as much as page based security as it is object based > security... > > >> as in model object. > > >> > > >> Are there annotations available or mechanisms within tapestry-security > > to > > >> perform this in one hit so I can just put it at the top of my class > (an > > >> annotation) or page and operate only on what the owner created ? > > >> > > >> Thanks > > >> > > >> > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > > > For additional commands, e-mail: users-h...@tapestry.apache.org > > > > > > > > > > > > -- > > Sincerely > > *Boris Horvat* > > >
