Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    Declarative Security question

    I have a question about the example on declarative security of the quick guide:

    <operationBinding operationType="fetch">
    <criteria fieldName="deleted" value="false"/>
    </operationBinding>
    <operationBinding operationType="fetch" operationId="adminSearch"
    requiresRole="admin"/>


    How does the component choose which fetch operation to use ?
    I tried the example and it always shows me the default fetch operation, no matter if the user has the role "admin" or not.

    Is it necessary to tell the component which fetch operation to use?
    For example:
    if isAdmin() { use adminSearch } else { use default }?
    If not, why am I always getting the default operation? The user I am testing with has definitely admin rights: I tested with <DataSource requiresAuthorization="true" requiresRole="admin" ... and it shows me the datasource correctly. For users without the admin role I get an error, which is the correct behaviour. So what is the problem?
    Last edited by edulid; 6 Aug 2011, 18:56.
    Tags: None
    #2
    The operation to use is selected by the operationId. You can set this on the component doing the fetch, for example, ListGrid.fetchOperation.

    Comment

      #3
      What is then the point of having
      <operationBinding ... requiresRole="admin"/> ?

      If I must write some code like:

      if (currentUserAdmin()) {
      ListGrid.fetchOperation("adminSearch");
      }

      I would be looking two times if the current user is admin:
      currentUserAdmin() ?
      and
      requiresRole="admin" ?

      Comment

        #4
        As with the QuickStart example of deleted users, the most common scenario is that additional information may be available to an admin user but the admin user doesn't necessary want to see that information by default, in other words, the admin's view should still default to showing users that have not been deleted.

        Because of this, you'll want a "Show Deleted Users" or similar UI control is anyway, and that's a natural place to put the line of code needed to switch the operationId.

        Comment

          #5
          OK, I understand, but still it will be checking two times if the user has admin priviledges:

          if (hasAdminRole()) { //first time
          showDeletedUsersUIControl.setVisible(true);
          }

          This UI control sets:
          ListGrid.fetchOperation("adminSearch");

          and in the DS we wrote: requiresRole="admin" . //second time

          Wouldn't that work with two fetch operations, just the same as in the example, but WITHOUT the requiresRole="admin" ? What would be the difference ? What's then the point of having "requiresRole="admin"" in the DS? Why do we need it ?

          Comment

            #6
            requiresRole="admin" causes actual enforcement that the operation cannot be performed unless you have the admin role.

            Comment

            Previous template Next
            Working...
            X