If it's meant to be a discussion the mailing list is probably the better place for it.
On the other hand, there are established patterns for this so perhaps the best first step is to do a bit of research. The is a fair bit of commentary in the mailing list archives and probably in the wiki too, and there is a lot of code that uses this sort of pattern in ecommerce so customers can see their own stuff but no one else can. -David BJ Freeman wrote:
http://issues.apache.org/jira/browse/OFBIZ-118 BJ Freeman sent the following on 7/27/2006 11:49 AM:There is a need to be able to block viewing info except that info that may pertain to that login (partyID)The is not taking into consideration Admin or Managers levels.for instance you have employees who should not be able to see each others profiles, payroll information, and/or time sheets, as a few examples.another area, if an communication event is set to private, no one but the party ID associated with the email address should be able to see them.So this is a discussion about how to best implement this.
smime.p7s
Description: S/MIME Cryptographic Signature
