Hi Amy,
On 2011-07-19, at 5:55 AM, Amy Worrall wrote:
> Hi! I have a question about good app design.
>
> I know that, as mentioned in the WOWODC videos I've watched, a common
> beginner mistake is to put most of the logic in the page components.
> Indeed, I've been guilty of that myself in apps I've made in the past.
> I know the fundamentals of MVC from my background in Cocoa.
>
> So suppose I have an app where users have their own profile. Each user
> can edit his own profile, whereas an admin can edit any profile.
>
> Where abouts does the logic go to check if someone is authorised to
> edit a particular profile? Should there be a method on the Session, to
> return a boolean for "can edit this profile"? If that's the case, from
> where is that method called?
Another approach that ERModernLook makes relatively simple is to tie what can
be seen to the NavigationMenu.plist (you can also set this up for non-D2W
pages).
You can show/hide navigation tabs based on user permissions for the logged in
user determined in the session class.
public String navigationRootChoice() {
Person user = (Person) user();
if(user != null ) {
if(user.isAdmin()==true) {
return "adminuser";
}
return "home";
}
return "none";
}
I've made an example available:
http://wiki.objectstyle.org/confluence/display/WO/SimpleBlog
In the example, the auth code is in the Person entity and the session calls a
method (above) to check if the logged in user isAdmin(),
public boolean isAdmin() {
Role aRole =
Role.fetchRole(this.editingContext(),"roleDescription","Admin");
return this.roles().contains(aRole);
}
>
> I know I could do it by having the page component call the
> authorisation method, and return an error page instead if it goes
> wrong. But that seems to tie the logic too much to my view: what if I
> come to add a REST API later? I'd need to duplicate my permissions
> logic, since it wouldn't be using the WOComponent that outputs the
> HTML page. Ditto if I add another page elsewhere that happens to be
> able to make a profile change (say, allowing an inline name change on
> another otherwise unrelated page). Ideally I think the data model
> itself should be able to reject an edit if it's performed without
> permission, but then we get into problems since the data model
> shouldn't know about the session.
>
> Also, I'm considering using Direct To Web (at least to some extent)
> for this project. I've never used it for anything more than an admin
> interface (i.e. one global login, if you're in then you can edit
> everything). If I were using Direct To Web, is the answer to the above
> question the same?
D2W gives you fine grained control (in rules) over specific properties that are
shown on a given page configuration and also give page flow choices in
branchChoices as Ramsey has described in his email.
David
>
> Thanks for your help,
>
> Amy
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/webobjects-dev/programmingosx%40mac.com
>
> This email sent to programming...@mac.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
