The project I am working on consists of product, orders, customers and the like.
Products, orders, and customers all belong to specific clients.
Clients all have logins, and there are also different levels of manager login. Administrators can have access to everything, plant managers can have access to only the clients in their warehouse, and clients can only have access to their own stuff.
So if someone tries to view order detail, edit customer record, or view a list of products, it should work like
If admin then show it to them
If they are a plant manager get all the clients at the warehouse and limit stuff to those clients
If they are a client then make sure the record(s) belongs to their clientID
So the logic above really isn't that hard. The question is at what spot in my code do I put it? I have everything represented by classes and there is a lot of querying and the like that goes on. I think I would like it to throw an exception if they are not allowed.
A. I could build this into my classes and pass a clientID or loginID to every method or object instantiation.
B. At the controller level I can check the access using an authorization object. But we are talking about putting this thing all over the place and then having to make sure we call it for any orderIDs, or productIDs, or whatever is passed in GET or POST. This would result in extra queries as well and probably missed checks.
C. Have the class methods retrieve the loginID or clientID from the framework.
D. Any other ideas?
How should I handle this user authorization puzzle?
Moderator: General Moderators
OOH OOH!
I another thread here - viewtopic.php?t=64310, arborint suggested I use manager classes for retrieving objects whcih sounded like a good idea...
What if I create an abstract base manager class and then extend that for each of my login times, admin, client, and manager? The problem though is that each manager will need to be duplicated 3 times, once for each type...
I could create manager classes then maybe use an delegate within the class, then create a different delegate for each login type....
Does that give anyone ideas?
I another thread here - viewtopic.php?t=64310, arborint suggested I use manager classes for retrieving objects whcih sounded like a good idea...
What if I create an abstract base manager class and then extend that for each of my login times, admin, client, and manager? The problem though is that each manager will need to be duplicated 3 times, once for each type...
I could create manager classes then maybe use an delegate within the class, then create a different delegate for each login type....
Does that give anyone ideas?
-
johndcastro
- Forum Newbie
- Posts: 2
- Joined: Tue Feb 27, 2007 4:29 pm
I have been in a similar situation, and what I did was determine a 'groupid' so the say i.e.
Admin - 0
Manager - 1
Customers -2
Then you just write if else statments with different queries based on there groupidstatements i.e. -
if ($groupid == 2) {
$qry = "SELECT * from table WHERE groupid LIKE '2'";
}
else ...
And so on,
Of course you would have to modify your tables to have a groupid field in the users and main product tables and then when you insert just use the group id.
This may or may not be what you were looking for just something I did in a similar situation!
Admin - 0
Manager - 1
Customers -2
Then you just write if else statments with different queries based on there groupidstatements i.e. -
if ($groupid == 2) {
$qry = "SELECT * from table WHERE groupid LIKE '2'";
}
else ...
And so on,
Of course you would have to modify your tables to have a groupid field in the users and main product tables and then when you insert just use the group id.
This may or may not be what you were looking for just something I did in a similar situation!
