cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Malcolm Edgar" <malcolm.ed...@gmail.com>
Subject Re: Data Access Filters
Date Thu, 06 Mar 2008 10:26:34 GMT
Hi Adrian,

thanks for the feedback.

regards Malcolm Edgar

On Thu, Mar 6, 2008 at 6:14 PM, Adrian Wiesmann <awiesmann@somap.org> wrote:
> Hello Malcolm, hello list
>
>
>  > Does anyone have any good Cayenne patterns for applying data security
>  > in queries.  The scenario I am talking about is where you have a
>  > client which only has access to certain records in a table, so when
>  > the query the table they should only see their records.  Similar
>  > concept to Oracles Find Grained Access Control (FGAC).
>
>  I am implementing something very similar to the Oracle FGAC way. But I
>  added the table model pattern to Cayenne to do so.
>
>  So in my architecture I renamed the Cayenne DataObject to DataRow. I then
>  introduced a DataTable to every DataRow. DataTables contain all logic
>  related to retrieving and persisting data of one table in the database.
>  DataRows are therefor "dumbed down" as they just contain logic related to
>  one record.
>
>  Let's say I have a Painting table. Then I generate a PaintingDataRow and a
>  PaintingDataTable class. In my PaintingDataTable I then implement the
>  logic to retrieve Painting records:
>
>  PaintingDataTable.getAllPaintings();
>  PaintingDataTable.getByForeignKey(keyArtist);
>
>  within these methods I then implement the access logic based on the
>  Session information. Based on the role information of the currently logged
>  in user I add some Where statements to the standard select statements.
>  Pseudo code:
>
>  PaintingDataTable.getAllPaintings()
>  {
>    select = "SELECT * FROM PAINTING";
>    if(!user.isAdmin())
>    {
>       select += "WHERE USER IS ALLOWED TO SEE PAINTING";
>    }
>  }
>
>  This architecture works quite good since all data retrieval is done via
>  the DataTables. And the DataTables enforce the access logic. It even has
>  the added value of having all retrieve logic in one place and not
>  everywhere in the code.
>
>  Actually the architecture is a little bit more complex (DataContainer,
>  Session, etc adding to the mess). But you should get the point. :)
>
>  Cheers,
>  Adrian
>

Mime
View raw message