From 8603509e30ec505ec666797a1ae2c16ea7338ab2 Mon Sep 17 00:00:00 2001 From: mikl <> Date: Mon, 5 May 2008 13:02:01 +0000 Subject: Fixed flaw in blog-tutorial's authentication rules. --- .../protected/pages/Day3/CreateAdminUser.page | 14 -------------- .../protected/pages/Day3/CreateEditUser.page | 17 +++++++++++++++++ .../protected/pages/Day3/CreateNewUser.page | 8 ++++---- 3 files changed, 21 insertions(+), 18 deletions(-) (limited to 'demos/blog-tutorial/protected/pages/Day3') diff --git a/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page b/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page index a91895a9..a278fa69 100644 --- a/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page +++ b/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page @@ -127,20 +127,6 @@ All data-boun -

Adding Permission Check

-

-Since AdminUser should only be accessible by administrators, we need to adjust the page configuration file protected/pages/users/config.xml accordingly. -

- - - - - - - - - -

Testing

To test the AdminUser page, visit the URL http://hostname/blog/index.php?page=users.AdminUser. You may be required to login as an administrator first if you have not done so. We shall expect to see the following result. diff --git a/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page b/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page index 78c345a3..6023450c 100644 --- a/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page +++ b/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page @@ -187,6 +187,23 @@ class EditUser extends TPage The onInit() method is invoked by PRADO during one of the page lifecycles. Other commonly overriden lifecycle methods include onPreInit(), onLoad() and onPreRender(). +

Adding Permission Check

+

+To make the EditUser page also accessible by authenticated users (users="@"), we need to adjust the page configuration file protected/pages/users/config.xml accordingly. +

+ + + + + + + + + + + + +

Testing

To test the EditUser page, visit the URL http://hostname/blog/index.php?page=users.EditUser&username=demo. You may be required to login first if you have not done so. Try logging in with different accounts (e.g. admin/demo, demo/demo) and see how the page displays differently. diff --git a/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page b/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page index f0ca94f5..4dca21c2 100644 --- a/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page +++ b/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page @@ -189,18 +189,18 @@ PRADO offers a more systematic way of checking page access permissions. To do so - - + +

-The page configuration contains authorization rules that apply to the pages under the directory protected/pages/users. The above configuration reads that the NewUser can be accessed by users of role admin (see BlogUser.createUser() for why the word "admin"), and deny anonymous access (users="?" means guest users) for all pages under the directory. +The page configuration contains authorization rules that apply to the pages under the directory protected/pages/users. The above configuration reads that users in the role admin can access all pages (see BlogUser.createUser() for why the word "admin"). For now all other users (users="*") are denied acess to pages in this directory - except for the LoginUser page which by convention can always be accessed.

-Now if we visit the NewUser page as a guest, we will be redirected to the LoginUser page first. If our login is successful, we will be redirected back to the NewUser page. +Now if we visit the NewUser page as a guest, we will be redirected to the LoginUser page first. If our login as admin is successful, we will be redirected back to the NewUser page.

-- cgit v1.2.3