cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tedwards <tedwa...@civica.com.au>
Subject Re: Restrict users to flow
Date Fri, 02 Jun 2006 00:17:59 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Seth,<br>
I actually access the navigation.xml from within flow. <br>
I pass all function calls through a 'main' function and this calls a
'checkUserSecurity(functionName)' function where the user's access is
checked.<br>
<br>
In the sitemap I have:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;map:match pattern="*.do"&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;map:call function="main"&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;map:parameter name="page" value="{1}"
/&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;/map:call&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;/map:match&gt;<br>
<br>
In my navigation.xml I have:<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &lt;menu label="Access"
href="signonForm.do"&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="signonForm.do" ignoreRole="true"
label="Login" roleName="Public" role="0"/&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="signOn.do?signoff=true"
ignoreRole="true" label="Logout" roleName="Public" role="0"/&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="pwrdRemindEdit.do" label="Edit password
reminder lists" roleName="Administer Users" role="1"/&gt;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="eserveAdmin.do" label="eService Admin"
roleName="Administer Eservices" role="512"/&gt;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="dbConnectionsEdit" label="Database
Connections" roleName="Administer Hierarchies" role="256"/&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="linkTypesView.do" label="View Link
Types" roleName="Public" role="1"/&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="sitemapConfiguration.do" label="Edit
Sitemap Components" roleName="Administer Hierarchies" role="1024"/&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &lt;/menu&gt;<br>
<br>
If I am trying to call 'signOnForm.do', it gets passed to 'main'. My
credentials and the role against the function are checked against each
other and if its OK the finction is then called.<br>
If the function has an 'ignoreRole' attribute set to true, then no
checking takes place and the function is called.<br>
I use a simple bit flag mechanism to determine a user's permissions.
The user's role number (stored in <tt>user.userLogin.rol_num </tt>)
is ANDed against the function's role number. Eg if a user's role number
is 2560 and the function has a role of 512 then the user has access to
this function (2560 AND 512 = 512 [true]).<br>
The user details can be obtained from a database or a simple ACL xml
file living under cocoon. The advantage for me is that I can impose a
fairly flexible authentication structure without having to resort to
any java (such is the wonderful nature of Cocoon!!).<br>
<br>
The relevant bits of flow are listed below. Using this process I can
change menu items on the fly depending on user permissions by
transforming the navigation.xml document and bitshifting the function's
role and the user's role in XSL. But that's another story!<br>
<br>
I hope this lengthy reply helps!<br>
<br>
Regards, <br>
Tony<br>
<br>
<tt>function main() {<br>
&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; var funName = cocoon.parameters["page"];<br>
&nbsp;&nbsp;&nbsp; print("Function Main(). Calling " + funName + "...");&nbsp;
<br>
&nbsp;&nbsp;&nbsp; var fun = this[funName];<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; print("Check that user has security to access the function:
'" +
funName + "'");<br>
&nbsp;&nbsp;&nbsp; print("First: make sure user's security setting is in session:");<br>
&nbsp;&nbsp;&nbsp; var userRoleNum = 0;<br>
&nbsp;&nbsp;&nbsp; userRoleNum = cocoon.session.getAttribute("securityAccess");<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; if(((userRoleNum == null) || (userRoleNum == 0)) &amp;&amp;
(user
!= null)){<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; print("Users session role num
= " + userRoleNum);&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; print("User's session role num
has been clobbered. Re-add it.");<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
cocoon.session.setAttribute("securityAccess",user.userLogin.rol_num);<br>
&nbsp;&nbsp;&nbsp; }<br>
&nbsp;&nbsp;&nbsp; var functionRedirect = checkUserSecurity(funName);<br>
&nbsp;&nbsp;&nbsp; print("Redirected function = " + functionRedirect);<br>
&nbsp;&nbsp;&nbsp; fun = this[functionRedirect];<br>
&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; var args = new Array(arguments.length -1);<br>
&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; for (var i = 1; i &lt; arguments.length; i++) {<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; args[i-1] = arguments[i];<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print("Args: " + args[i-1]);<br>
&nbsp;&nbsp;&nbsp; }<br>
&nbsp;&nbsp;&nbsp; &nbsp;<br>
&nbsp;&nbsp;&nbsp; message="";&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; fun.apply(args);<br>
&nbsp;&nbsp;&nbsp; <br>
}<br>
<br>
function checkUserSecurity(psFuncName){
<br>
&nbsp;&nbsp;&nbsp; //Check user role against function role and returns the
<br>
&nbsp;&nbsp;&nbsp; // function you're trying to get to if OK or else directs you
to&nbsp;
<br>
&nbsp;&nbsp;&nbsp; // the welcome screen where you can read the error message.
<br>
&nbsp;&nbsp;&nbsp;
print("*****************************************************************");

<br>
&nbsp;&nbsp;&nbsp; print("In checkUserSecurity. Checking user access to '" +
psFuncName + "'");
<br>
&nbsp;&nbsp;&nbsp; print("Is the function an aim specific function?");
<br>
<br>
&nbsp;&nbsp;&nbsp; print("Do we ignore this role?");
<br>
&nbsp;&nbsp;&nbsp; var ignoreRole = getIgnoreRoleStatus(psFuncName);
<br>
&nbsp;&nbsp;&nbsp; if(ignoreRole == "true"){
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; print("Yes we do.");
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; return psFuncName;
<br>
&nbsp;&nbsp;&nbsp; }
<br>
&nbsp;&nbsp;&nbsp; &nbsp;<br>
&nbsp;&nbsp;&nbsp; if((user == null) || (typeof(user) == 'undefined')){
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; print("user is null - hasn't
logged on.");
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; return 'welcome';
<br>
&nbsp;&nbsp;&nbsp; }
<br>
&nbsp;&nbsp;&nbsp; var userRole = user.userLogin.rol_num;
<br>
&nbsp;&nbsp;&nbsp; print("User's magic number = " + userRole);
<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; &nbsp;<br>
&nbsp;&nbsp;&nbsp; var lFuncMagNum = getFunctionMagicNumber(psFuncName);
<br>
&nbsp;&nbsp;&nbsp; print("Role number for this function = " + lFuncMagNum);
<br>
&nbsp;&nbsp;&nbsp; &nbsp;<br>
&nbsp;&nbsp;&nbsp; var biLevel = new Packages.java.math.BigInteger(userRole +
"");
<br>
&nbsp;&nbsp;&nbsp; var biAccess = new Packages.java.math.BigInteger(lFuncMagNum
+
"");&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;<br>
&nbsp;&nbsp;&nbsp; var result = biLevel.and(biAccess).intValue();&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;<br>
&nbsp;&nbsp;&nbsp; print("Result of ANDing " + userRole + " AND " + lFuncMagNum
+ " =
" + result);
<br>
&nbsp;&nbsp;&nbsp; if(result &gt; 0){
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
print("*****************************************************************");

<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; return psFuncName;
<br>
&nbsp;&nbsp;&nbsp; } else {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; message = "You don't have the
required pemissions to access the
'" + psFuncName + "' function.";
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; setMessage(message);
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
print("*****************************************************************");

<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; return 'welcome';
<br>
&nbsp;&nbsp;&nbsp; }&nbsp;&nbsp;&nbsp; &nbsp;<br>
}
</tt><br>
<br>
<tt>function getFunctionMagicNumber(psFunctionName){
<br>
&nbsp;&nbsp;&nbsp; print("Loading the navigation document.");
<br>
&nbsp;&nbsp;&nbsp; var navDoc = loadDocument("cocoon:/xml/navigation.xml");
<br>
&nbsp;&nbsp;&nbsp; if(navDoc != null){
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; print("Looking for element with
href attribute of '" +
psFunctionName + ".do'");&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; var navElement = getNodesByAttribute(navDoc,
"menu-item",
"href", Trim(psFunctionName) + ".do");
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; if(navElement != null){
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
print("Found element, get role attribute.");
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
var roleVal = getNodeAttributeValue(navElement, "role");
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
var label =&nbsp; getNodeAttributeValue(navElement, "label");
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
print("Menu item label = " + label);&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
print("Role setting = " + roleVal);
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
return roleVal;
<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; } else {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
print("Could not find role attribute in element " +
getNodeText(navElement));
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
return null;
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; }
<br>
&nbsp;&nbsp;&nbsp; } else {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; message = "Could not find navigation
document. Please notify
administrator.";
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; print(message);
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; return null;
<br>
&nbsp;&nbsp;&nbsp; }
<br>
}
<br>
function getNodesByAttribute(document, elmntName, attrName, attrValue)
{
<br>
&nbsp;&nbsp;&nbsp; /** elmntName = "hNode"
<br>
&nbsp;&nbsp;&nbsp; &nbsp;* attrName = the attribute we're trying to find.&nbsp;
<br>
&nbsp;&nbsp;&nbsp; &nbsp;* attrValue = the atrribute's value we're trying
to retrieve
<br>
&nbsp;&nbsp;&nbsp; &nbsp;* Returns the nodes whose attr = the value parm */
<br>
&nbsp;&nbsp;&nbsp; print("In getNodesByAttribute: element Name =&nbsp; " +
elmntName + ";
Attribute Name = " + attrName + "; Attribute Value = " + attrValue);
<br>
&nbsp;&nbsp;&nbsp; if(document == null){
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; print("Document is null!");
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; return null;
<br>
&nbsp;&nbsp;&nbsp; }
<br>
&nbsp;&nbsp;&nbsp; var node = null;
<br>
&nbsp;&nbsp;&nbsp; &nbsp;<br>
&nbsp;&nbsp;&nbsp; print("Getting all parentNode or childNode elements:
getElementsByTagName(" + elmntName + ")");
<br>
&nbsp;&nbsp;&nbsp; var pnodes = document.getElementsByTagName(elmntName);
<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; var nodeLen = pnodes.getLength();
<br>
&nbsp;&nbsp;&nbsp; print("Number of elements retrieved = " + nodeLen);
<br>
&nbsp;&nbsp;&nbsp; if (nodeLen == 0) {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; //Node don't exist!
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; return null;
<br>
&nbsp;&nbsp;&nbsp; } else {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; //We've found some Node elements,&nbsp;
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; //see if the id attribute value
= nodeId parm.
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; for (var i = 0; i &lt; nodeLen;
i++) {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
node = pnodes.item(i);
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
if (node != null) {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; if (node.hasAttributes()) {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; var attributes = node.getAttributes();
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; var idAttribute =
attributes.getNamedItem(attrName);
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; if (idAttribute != null){
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
if
(idAttribute.getNodeValue().equals(attrValue)) {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; return node;
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
}
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; } else {
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
return null;
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; }
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; }
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
}
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; }
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; return null;
<br>
&nbsp;&nbsp;&nbsp; }
<br>
}<br>
<br>
function getNodeAttributeValue(domNode,attributeName){
<br>
&nbsp;&nbsp;&nbsp; if(domNode == null){ <br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;return null; <br>
&nbsp;&nbsp;&nbsp; } <br>
&nbsp;&nbsp;&nbsp; if (domNode.hasAttributes()) { <br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;var attributes = domNode.getAttributes();
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;var idAttribute = attributes.getNamedItem(attributeName);
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;if (idAttribute != null){ <br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;return
idAttribute.getNodeValue(); <br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;} else { <br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;return
null; <br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;} <br>
&nbsp;&nbsp;&nbsp; } else { <br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;return null; <br>
&nbsp;&nbsp;&nbsp; } <br>
&nbsp;<br>
}
<br>
&nbsp;<br>
</tt><br>
Seth Foss wrote:
<blockquote
 cite="midCE4BA44743C6B846BE46B70529CF7E4709B8C9@exchange.lat-inc.net"
 type="cite">
  <title></title>
  <meta http-equiv="Content-Type" content="text/html; ">
  <meta content="MSHTML 6.00.2900.2873" name="GENERATOR">
  <div align="left" dir="ltr"><font face="Arial" size="2"><span
 class="427272512-31052006">Tony,</span></font></div>
  <div align="left" dir="ltr"><font face="Arial" size="2"><span
 class="427272512-31052006">&nbsp;&nbsp;&nbsp; That looks like just what I
need. Could
you give me an example of how your are accessing that xml from your
sitemap?</span></font></div>
  <div align="left" dir="ltr"><font face="Arial" size="2"><span
 class="427272512-31052006"></span></font>&nbsp;</div>
  <div align="left" dir="ltr"><font face="Arial" size="2"><span
 class="427272512-31052006">Seth</span></font></div>
  <br>
  <div class="OutlookMessageHeader" align="left" dir="ltr" lang="en-us">
  <hr tabindex="-1"><font face="Tahoma" size="2"><b>From:</b> tedwards
[<a class="moz-txt-link-freetext" href="mailto:tedwards@civica.com.au">mailto:tedwards@civica.com.au</a>]
<br>
  <b>Sent:</b> Tuesday, May 30, 2006 7:06 PM<br>
  <b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@cocoon.apache.org">users@cocoon.apache.org</a><br>
  <b>Subject:</b> Re: Restrict users to flow<br>
  </font><br>
  </div>
Hi Seth,<br>
I restrict what users can and can't do by running them through a
'traffic cop' of sorts.<br>
I have a navigation document which performs 2 functions: 1 is to
generate the menus that the program displays and the other is to
determine who can have access to a particular portion of the
application.<br>
  <br>
For example:<br>
  <br>
A section of my navigation.xml looks like this:<br>
&nbsp;&nbsp;&nbsp; &lt;menu_category type="non-visible"&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &lt;menu label="non-visible"&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="processLinks.do" label="processLinks"
roleName="Public" role="1"/&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="noticeEdit.do" label="noticeEdit"
roleName="Public" role="1"/&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="searchHrcy.do" label="searchHrcy"
roleName="Admin" role="256"/&gt;<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;menu-item href="getChildNodesOnly.do"
label="getChildNodesOnly" roleName="Public" role="1"/&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/menu&gt;<br>
&nbsp;&nbsp;&nbsp; &lt;/menu_category&gt;<br>
  <br>
When a user tries to access a particular flow function like
'searchHrcy.do', their user permissions (a global variable obtained at
login) is compared to the role attribute of the menu-item. If they
don't have sufficient privileges to access this function then they are
redirected.<br>
Similarly if they attempt to access and function not listed in the
navigation.xml, an error is generated and they are redirected.<br>
All this role checking and redirection is handled by flow. This could
be extended to include any pipeline calls as well by listing them in
the navigation document and using flow to call sendPage(menu-item).<br>
  <br>
I hope this makes sense. The application I am writing required really
fine grained access level so I knocked up this 'traffic cop' to check
every public flow function.<br>
If you need more detail, let me know.<br>
  <br>
Regards<br>
Tony<br>
  <br>
  <br>
Seth Foss wrote:
  <blockquote
 cite="midCE4BA44743C6B846BE46B70529CF7E4709B863@exchange.lat-inc.net"
 type="cite">
    <meta content="MSHTML 6.00.2900.2873" name="GENERATOR">
    <div><span class="353532118-30052006"><font face="Arial" size="2">How
do I restrict a user from accessing pipelines outside of flowscript<span
 class="427272512-31052006">?&nbsp;</span> I can figure out how to redirect
un-authenticated users to a login page, but if logged-in users manually
enter a pipeline into the address bar, how do I redirect them into my
flowscript. I plan on using continuations, so Submits and Nexts will
not direct to the correct pages without the flowscript running.</font></span></div>
    <div><span class="353532118-30052006"></span>&nbsp;</div>
    <div><span class="353532118-30052006"><font face="Arial" size="2">Seth
Foss</font></span></div>
  </blockquote>
  <p>--<br>
  <br>
This email is from Civica Pty Limited and it, together with any
attachments, is confidential to the intended recipient(s) and the
contents may be legally privileged or contain proprietary and private
information. It is intended solely for the person to whom it is
addressed. If you are not an intended recipient, you may not review,
copy or distribute this email. If received in error, please notify the
sender and delete the message from your system immediately. Any views
or opinions expressed in this email and any files transmitted with it
are those of the author only and may not necessarily reflect the views
of Civica and do not create any legally binding rights or obligations
whatsoever. Unless otherwise pre-agreed by exchange of hard copy
documents signed by duly authorised representatives, contracts may not
be concluded on behalf of Civica by email. Please note that neither
Civica nor the sender accepts any responsibility for any viruses and it
is your responsibility to scan the email and the attachments (if any).
All email received and sent by Civica may be monitored to protect the
business interests of Civica. </p>
</blockquote>
</body>
</html>
<p>

--<br>
<br>
This email is from Civica Pty Limited and it, together with <br>
any attachments, is confidential to the intended recipient(s) <br>
and the contents may be legally privileged or contain <br>
proprietary and private information. It is intended solely <br>
for the person to whom it is addressed. If you are not an <br>
intended recipient, you may not review, copy or distribute <br>
this email. If received in error, please notify the sender <br>
and delete the message from your system immediately. Any <br>
views or opinions expressed in this email and any files <br>
transmitted with it are those of the author only and may <br>
not necessarily reflect the views of Civica and do not create <br>
any legally binding rights or obligations whatsoever. Unless <br>
otherwise pre-agreed by exchange of hard copy documents <br>
signed by duly authorised representatives, contracts may not <br>
be concluded on behalf of Civica by email. Please note that <br>
neither Civica nor the sender accepts any responsibility for <br>
any viruses and it is your responsibility to scan the email <br>
and the attachments (if any). All email received and sent by <br>
Civica may be monitored to protect the business interests of <br>
Civica. <br>
</p>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message