Hello all,
I have a T5 app that have typical security restriction to some pages based
on role, but also based on domain-specific instances that can be resolved
from request parameters.
For example, request to web page ShowDocument that accepts "documentID" as
parameter can be allowed only to users with ROOT role, or user with CUSTOMER
role *only if it is THE customer who created this document*, meaning, I have
to resolve document's customer and compare it to logged in user inside
HttpSession to check if he's authorized.
Since page-specific request parameters are set inside each T5 page via
"activate" event, the only time to perform authorization would be after
that. It would be best if there can be some new event plugged in request
pipeline, that would be fired right after "activate" event, and where I
could perform some page-specific authorization, and return login page if not
authorized. Is this possible to do now somehow?
Or some other suggestion?
BR,
Vjeran
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org