Changeset 2454
- Timestamp:
- 05/05/2008 08:02:01 AM
- Files:
-
- trunk/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page (modified) (1 diff)
- trunk/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page (modified) (1 diff)
- trunk/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page (modified) (2 diffs)
- trunk/demos/blog-tutorial/protected/pages/Day4/CreateNewPost.page (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page
r1962 r2454 128 128 129 129 130 <h2>Adding Permission Check</h2>131 <p>132 Since <tt>AdminUser</tt> should only be accessible by administrators, we need to adjust the page configuration file <tt>protected/pages/users/config.xml</tt> accordingly.133 </p>134 <com:TTextHighlighter CssClass="source" Language="xml">135 <?xml version="1.0" encoding="utf-8"?>136 <configuration>137 <authorization>138 <allow pages="NewUser,AdminUser" roles="admin" />139 <deny users="?" />140 </authorization>141 </configuration>142 </com:TTextHighlighter>143 144 130 <h2>Testing</h2> 145 131 <p> trunk/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page
r2034 r2454 188 188 </com:TipBox> 189 189 190 <h2>Adding Permission Check</h2> 191 <p> 192 To make the <tt>EditUser</tt> page also accessible by authenticated users (<tt>users="@"</tt>), we need to adjust the page configuration file <tt>protected/pages/users/config.xml</tt> accordingly. 193 </p> 194 195 <com:TTextHighlighter CssClass="source" Language="xml"> 196 <?xml version="1.0" encoding="utf-8"?> 197 <configuration> 198 <authorization> 199 <allow roles="admin"/> 200 <allow users="@" pages="EditUser"/> 201 <deny users="*"/> 202 </authorization> 203 </configuration> 204 </com:TTextHighlighter> 205 206 190 207 <h2>Testing</h2> 191 208 <p> trunk/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page
r2034 r2454 190 190 <configuration> 191 191 <authorization> 192 <allow pages="NewUser" roles="admin"/>193 <deny users=" ?"/>192 <allow roles="admin"/> 193 <deny users="*"/> 194 194 </authorization> 195 195 </configuration> … … 197 197 198 198 <p> 199 The page configuration contains authorization rules that apply to the pages under the directory <tt>protected/pages/users</tt>. The above configuration reads that the <tt>NewUser</tt> can be accessed by users of role <tt>admin</tt> (see <a href="?page=Day3.Auth">BlogUser.createUser()</a> for why the word "admin"), and deny anonymous access (<tt>users="?"</tt> means guest users) for all pages under the directory.200 </p> 201 202 <p> 203 Now if we visit the <tt>NewUser</tt> page as a guest, we will be redirected to the <tt>LoginUser</tt> page first. If our login is successful, we will be redirected back to the <tt>NewUser</tt> page.199 The page configuration contains authorization rules that apply to the pages under the directory <tt>protected/pages/users</tt>. The above configuration reads that users in the role <tt>admin</tt> can access all pages (see <a href="?page=Day3.Auth">BlogUser.createUser()</a> for why the word "admin"). For now all other users (<tt>users="*"</tt>) are denied acess to pages in this directory - except for the <tt>LoginUser</tt> page which by convention can always be accessed. 200 </p> 201 202 <p> 203 Now if we visit the <tt>NewUser</tt> page as a guest, we will be redirected to the <tt>LoginUser</tt> page first. If our login as <tt>admin</tt> is successful, we will be redirected back to the <tt>NewUser</tt> page. 204 204 </p> 205 205 trunk/demos/blog-tutorial/protected/pages/Day4/CreateNewPost.page
r2070 r2454 8 8 9 9 <p> 10 Because <tt>NewPost</tt> can only be accessed by authenticated users, we add a page configuration file <tt>config.xml</tt> under the directory <tt>protected/pages/posts</tt>. The configuration specifies that guest users cannot access <tt>NewPost</tt> and <tt>EditPost</tt> which is to be introduced in the next section.10 Because <tt>NewPost</tt> can only be accessed by authenticated users, we add a page configuration file <tt>config.xml</tt> under the directory <tt>protected/pages/posts</tt>. The configuration specifies that authenticated users can access <tt>NewPost</tt> and <tt>EditPost</tt> which is to be introduced in the next section. All other users only have access to <tt>ListPost</tt> and <tt>ReadPost</tt>. 11 11 </p> 12 12 … … 15 15 <configuration> 16 16 <authorization> 17 <deny pages="NewPost,EditPost" users="?" /> 17 <allow pages="NewPost,EditPost" users="@" /> 18 <allow pages="ListPost,ReadPost" /> 19 <deny users="*" /> 18 20 </authorization> 19 21 </configuration> 20 22 </com:TTextHighlighter> 23 24 <com:TipBox> 25 It's always a good idea to start with a <tt>deny="*"</tt> catch all rule at the bottom and then step by step grant access to pages with additional rules. 26 </com:TipBox> 21 27 22 28 <p>
