From 8603509e30ec505ec666797a1ae2c16ea7338ab2 Mon Sep 17 00:00:00 2001
From: mikl <>
Date: Mon, 5 May 2008 13:02:01 +0000
Subject: Fixed flaw in blog-tutorial's authentication rules.

---
 .../protected/pages/Day3/CreateAdminUser.page           | 14 --------------
 .../protected/pages/Day3/CreateEditUser.page            | 17 +++++++++++++++++
 .../protected/pages/Day3/CreateNewUser.page             |  8 ++++----
 .../protected/pages/Day4/CreateNewPost.page             | 10 ++++++++--
 4 files changed, 29 insertions(+), 20 deletions(-)

(limited to 'demos/blog-tutorial')

diff --git a/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page b/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page
index a91895a9..a278fa69 100644
--- a/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page
+++ b/demos/blog-tutorial/protected/pages/Day3/CreateAdminUser.page
@@ -127,20 +127,6 @@ All <a href="http://www.pradosoft.com/docs/classdoc/TDataBoundControl">data-boun
 </com:TipBox>
 
 
-<h2>Adding Permission Check</h2>
-<p>
-Since <tt>AdminUser</tt> should only be accessible by administrators, we need to adjust the page configuration file <tt>protected/pages/users/config.xml</tt> accordingly.
-</p>
-<com:TTextHighlighter CssClass="source" Language="xml">
-<?xml version="1.0" encoding="utf-8"?>
-<configuration>
-  <authorization>
-    <allow pages="NewUser,AdminUser" roles="admin" />
-    <deny users="?" />
-  </authorization>
-</configuration>
-</com:TTextHighlighter>
-
 <h2>Testing</h2>
 <p>
 To test the <tt>AdminUser</tt> page, visit the URL <tt>http://hostname/blog/index.php?page=users.AdminUser</tt>. You may be required to login as an administrator first if you have not done so. We shall expect to see the following result.
diff --git a/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page b/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page
index 78c345a3..6023450c 100644
--- a/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page
+++ b/demos/blog-tutorial/protected/pages/Day3/CreateEditUser.page
@@ -187,6 +187,23 @@ class EditUser extends TPage
 The <tt>onInit()</tt> method is invoked by PRADO during one of the <a href="http://www.pradosoft.com/demos/quickstart/?page=Fundamentals.Pages">page lifecycles</a>. Other commonly overriden lifecycle methods include <tt>onPreInit()</tt>, <tt>onLoad()</tt> and <tt>onPreRender()</tt>.
 </com:TipBox>
 
+<h2>Adding Permission Check</h2>
+<p>
+To make the <tt>EditUser</tt> page also accessible by authenticated users (<tt>users="@"</tt>), we need to adjust the page configuration file <tt>protected/pages/users/config.xml</tt> accordingly.
+</p>
+
+<com:TTextHighlighter CssClass="source" Language="xml">
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <authorization>
+    <allow roles="admin"/>
+    <allow users="@" pages="EditUser"/>
+    <deny users="*"/>
+  </authorization>
+</configuration>
+</com:TTextHighlighter>
+
+
 <h2>Testing</h2>
 <p>
 To test the <tt>EditUser</tt> page, visit the URL <tt>http://hostname/blog/index.php?page=users.EditUser&username=demo</tt>. You may be required to login first if you have not done so. Try logging in with different accounts (e.g. admin/demo, demo/demo) and see how the page displays differently.
diff --git a/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page b/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page
index f0ca94f5..4dca21c2 100644
--- a/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page
+++ b/demos/blog-tutorial/protected/pages/Day3/CreateNewUser.page
@@ -189,18 +189,18 @@ PRADO offers a more systematic way of checking page access permissions. To do so
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <authorization>
-    <allow pages="NewUser" roles="admin" />
-    <deny users="?" />
+    <allow roles="admin"/>
+    <deny users="*"/>
   </authorization>
 </configuration>
 </com:TTextHighlighter>
 
 <p>
-The page configuration contains authorization rules that apply to the pages under the directory <tt>protected/pages/users</tt>. The above configuration reads that the <tt>NewUser</tt> can be accessed by users of role <tt>admin</tt> (see <a href="?page=Day3.Auth">BlogUser.createUser()</a> for why the word "admin"), and deny anonymous access (<tt>users="?"</tt> means guest users) for all pages under the directory.
+The page configuration contains authorization rules that apply to the pages under the directory <tt>protected/pages/users</tt>. The above configuration reads that users in the role <tt>admin</tt> can access all pages (see <a href="?page=Day3.Auth">BlogUser.createUser()</a> for why the word "admin"). For now all other users (<tt>users="*"</tt>) are denied acess to pages in this directory - except for the <tt>LoginUser</tt> page which by convention can always be accessed. 
 </p>
 
 <p>
-Now if we visit the <tt>NewUser</tt> page as a guest, we will be redirected to the <tt>LoginUser</tt> page first. If our login is successful, we will be redirected back to the <tt>NewUser</tt> page.
+Now if we visit the <tt>NewUser</tt> page as a guest, we will be redirected to the <tt>LoginUser</tt> page first. If our login as <tt>admin</tt> is successful, we will be redirected back to the <tt>NewUser</tt> page.
 </p>
 
 <com:TipBox>
diff --git a/demos/blog-tutorial/protected/pages/Day4/CreateNewPost.page b/demos/blog-tutorial/protected/pages/Day4/CreateNewPost.page
index c81e634c..7797efaa 100644
--- a/demos/blog-tutorial/protected/pages/Day4/CreateNewPost.page
+++ b/demos/blog-tutorial/protected/pages/Day4/CreateNewPost.page
@@ -7,18 +7,24 @@ The <tt>NewPost</tt> page is provided to authenticated users for creating new bl
 </p>
 
 <p>
-Because <tt>NewPost</tt> can only be accessed by authenticated users, we add a page configuration file <tt>config.xml</tt> under the directory <tt>protected/pages/posts</tt>. The configuration specifies that guest users cannot access <tt>NewPost</tt> and <tt>EditPost</tt> which is to be introduced in the next section.
+Because <tt>NewPost</tt> can only be accessed by authenticated users, we add a page configuration file <tt>config.xml</tt> under the directory <tt>protected/pages/posts</tt>. The configuration specifies that authenticated users can access <tt>NewPost</tt> and <tt>EditPost</tt> which is to be introduced in the next section. All other users only have access to <tt>ListPost</tt> and <tt>ReadPost</tt>. 
 </p>
 
 <com:TTextHighlighter CssClass="source" Language="xml">
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <authorization>
-    <deny pages="NewPost,EditPost" users="?" />
+    <allow pages="NewPost,EditPost" users="@" />
+    <allow pages="ListPost,ReadPost" />
+    <deny users="*" />
   </authorization>
 </configuration>
 </com:TTextHighlighter>
 
+<com:TipBox>
+It's always a good idea to start with a <tt>deny="*"</tt> catch all rule at the bottom and then step by step grant access to pages with additional rules.
+</com:TipBox>
+
 <p>
 As the number of our pages expands, we would like to modify <tt>MainLayout</tt> so that in the footer of our blog pages there are links to various pages, including the homepage, the <a href="?page=Day3.CreateNewUser">NewUser</a> page (visible to the administrator only), and the upcoming <tt>NewPost</tt> page (visible to authenticated users only).
 </p>
-- 
cgit v1.2.3