Jorge Loyo said the following on 10/05/2009 01:06 PM:
> peter,
>
> thank you for the response.
>
> the problem is that the grid data is retrieved via cfc bind and
> depending on the permissions of the user i may have to send the user
> to one place or another. I thought about adding the urls directly to
> the query data returned to populate the grid, but i just found the
> solution a little weird... retrieving data to, then loop through the
> data, then push it to the grid.
>
> i thought i could perhaps do an ajax call to a cfc that will build my
> url based on parameters that i pass to it, that way the queries remain
> unchanged and i can create the urls separately way.
>
Your front end performance making that many AJAX calls just for URLs
will degrade as your recordset increases. Typically in our applications
at work, we send everybody to the same endpoint and let that
event-handler make permission decisions based on their permissions and
requested data point. Could be as simple as:
index.cfm?event=cfgrid.decision&element=user&id=1234&action=edit
Another method is to do something like this:
<event-handler event="user.edit">
... ensure logged in -- we use plugins for this, but your app might
use a filter here instead ...
<filter name="announceByPermission">
<parameter name="superUser" value="user.superUser.edit"/>
<parameter name="dumbUser" value="user.dumbUser.edit"/>
</filter>
</event-handler>
... notice we're marked private ....
<event-handler event="user.superUser.edit" access="private">
... code here ...
</event-handler>
<event-handler event="user.dumbUser.edit" access="private">
... code here ...
</event-handler>
This is a great way to leave end points the same which a great for many
reasons:
* Bookmark ability -- most users tend to bookmark stuff and this leaves
the end point the same no matter what permissions that they have
* Share ability -- people share URLs and this way it's not one URL from
person A with permission X and another URL for person B with permission Z.
* Simple encapsulation of events -- if you need to add on another
permission -- you just add to the filter announceByPermission instead of
having to update a bunch of front end code. We usually just announce
the event for the user's highest permission in case of multiple
permissions matching.
* Simplified "public" URL structure for front end development because
we're dealing with decision routing on the application side
* "Possible" additional security (it all depends) because you're
disclosing a bunch of event names / actions / etc. It's really more
obfuscation in the end , but you are running more stuff through a single
end point (makes for less errors on forgotten permissions / forgetting
to check login / etc. because it's one end point).
If it's more complicated than that, you can add in an
action=nameOfAction parameter in case there are special use cases.
My .02 cents,
.Peter
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to Mach-II for CFML list.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/mach-ii-for-coldfusion?hl=en
SVN: http://greatbiztoolsllc.svn.cvsdude.com/mach-ii/
Wiki / Documentation / Tickets:
http://greatbiztoolsllc.trac.cvsdude.com/mach-ii/
-~----------~----~----~----~------~----~------~--~---
