cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Donald <dona...@mad.scientist.com>
Subject Re: [C2]Access control using sitemap
Date Mon, 11 Sep 2000 13:53:08 GMT

At 10:43  10/9/00 +0200, Giacomo Pati wrote:
>The example above is probably misleading because we don't have a Action
>component in the sitemap so far. Generally speaking I think a Sitemap
>Action is an object that acts upon an application model based on data
>supplied by the environments objectModel (ie Request). It's its
>responsability to make some data available to the Sitemap engine as
>further selection/matching criteria (a List object) as well as in the
>objectModel for other sitemap components
... snip ...

yes I like this :P. I think it does all that I would require - thou I will
try and break it next weakend to see if I can :P

>> There is also the idea of latent actions. For instance the latent Action is
>> transmitted between end-user and cocoon until they are activated. Actions
>> may also be made latent (or deactivated) in a couple of cases. Like when
>> you try to submit form but are not logged in - it will save action/form
>> data (or put action into latent state) and then after login commit the
>> action (or re-activate action).
>
>Isn't this a matter how components play together?

not really - it is impossible for an individual action to "discover" the
other actions as the data may come in via post/get/cookies/other and is
really a container issue - where actions are contained. There needs to be a
way to grab all actions that have been passed to webapp (rather than those
that are implicit via sitemap) and store them. 

>> * Then specific resources webapp/a.xml, webapp/b.xml and webapp/admin/c.xml
>> must run FormValidationAction with appropriate form schema and the
>> apprporiate FormDBEntryAction
>
>Didn't get the last one? What is a FormDBEntryAction for? Probably an
>XSP page?

nope - it is just an action that grabs stuff from environment and places it
in a database. I usually seperate it from form validation and consider this
form saving :P

>> * A user can also arbitarily submit an action from any page (via post
>> request or perhaps a ?action=blah tacked onto URL) that must be executed.
>
>  <match type="uri" pattern="webapp/**">
>    <act type="session-validation"/>
>    <match type="uri" pattern="webapp/admin">
>      <act type="assign-role">
>        <select type="role-selector">
>          <when test="admin">
>            <match type="uri" pattern="webapp/admin/c.xml">
>              <act type="form-validation src="admin/form-schema-c.xsd"/>
>              <!-- the following next-page action has knowledge of the
>                   sequence of pages and returns a List with the first
>element
>                   corresponding to the "next page" appropriate
>depending on
>                   values in the objectModel signaling successful
>validation by 
>                   the previous action (type="form-validation"). The
>following 
>                   three lines could be put into a sitemap resource
>definition
>                   and replaced by <redirect-to resource="next-page"/>
>              -->
>              <act type="next-page">
>                <generate src="{1}"/>
>              </act>
>            </match>
>          <otherwise>
>            <match type="uri-regexp" pattern="webapp/(a|b)\.xml">
>              <act type="form-validation src="form-schema-{1}.xsd"/>
>              <act type="next-page">
>                <generate src="{1}"/>
>              </act>
>            </match>
>          </when>
>        </select>
>      </act>
>    </match>
>  </match>

This could work real good :P

>> It may also be good to have an action that's sole purpose is to extract
>> explicit action requests and execute/store them (ActionExtractorAction +
>> ActionDispatcherAction ???)
>
>Please answer these question yourself after you've read my explanations.

ActionExtraction is really a container concern and thus dispatching can be
either a container or else contained concern (much like servlet dispatching
via /servlet/<servlet-name> is done via another servlet).

Anyways I will try to come up with problems with this approach (if any) and
try a few thought experiments :P


Cheers,

Pete

*------------------------------------------------------*
| "Nearly all men can stand adversity, but if you want |
| to test a man's character, give him power."          |
|       -Abraham Lincoln                               |
*------------------------------------------------------*

Mime
View raw message