I am starting to investigate/create a user login and permissions system.
How can I programmatically get a list of all pages, all menus and their respective menu items?
I have tried this, but no success. It fills in a popup menu…
For i As Integer = 0 To Self.ControlCount - 1
' Check if the control is a DesktopTextField
If Self.ControlAt(i) IsA WebMenuItem Then
//Me.AddRow(Me.ControlAt(i).
Dim Nme As String = WebLabel(Self.ControlAt(i)).Name
Me.AddRow(Nme)
End If
Next
Yeah, nah. Having done permission based access before, this seems like the worst way to go about it. Create access levels and imply what a user can do from there.
As Tim H said, design your process, what it will do, and think about the UI to make it work, and then think in the kind of possible actors and their roles (or levels), and actions/access someone would like include/exclude from those roles, like for the “admin” role it can do anything, but a “clerk” can’t delete things or can’t access entire parts of the system, he needs to call a superior to do some operations. Not on/off 1000 “micro useless things”.
Before we get too deep in this discussion, each control/object on the window should decide in their open event what kind of access to allow: not visible, read only, or editable/active.
It’s also important to remember that on the web you need to be more careful. Making a control not visible or read-only doesn’t prevent a crafty user from interacting with it. If you truly want an item to be inaccessible, you either have to also ignore the events, “close” the control to remove it from the page or just don’t add it in the first place.
FWIW, I just added a permission system to a web app that’s grown beyond its original purpose just this week. A complete role & feature management system. It’s a bit of work to get started, but later you’ll appreciate having the ability to add a certain feature to a role and suddenly everyone who has that role can access that feature.
[quote="Tim Hare, post:4, topic:85290, username:Tim_Hare"]
Create access levels and imply what a user can do from there.
[/quote]
I was thinking/planning on having access levels, Roles, permissions, a table of pages and possibly menu items, and allow the user to assign these objects as the deem fit.
That’s why I was looking for a way to programmatically find all pages to fill the pertinent table with their name and/or other information. This, as compared to manually having to go through the app and collect that info. My thinking too, is that as pages are added they would be automatically added to the database.
I’ve been searching the web for ideas and how-to’s since this is the first time I’ve had the need to do this. Here are a few examples.
My logic says that if you want to control access to certain areas, then you need to know what those areas are - which leads me back to page/menu access.
Can you elaborate on the method you et al are thinking of?
Each page serves a specific purpose. It should be able to answer the question, “What should I allow this user to do.” You can further delegate that question to the control level if you wish.
This approach decouples the “what” from the “how”. You can completely revamp a page without having to update anything in a database. The database supplies what the user is allowed to do. The page controls how he does it.
It’s functional level of control vs specific implementation.
Re menu level access, then it does make sense to have a list of pages that each access level can see. That is a top level filter. Once the user gets to that page, additional restrictions apply.
One of the disconnects here is that what you seem to be asking for is WebPage instances. In that case, your database will grow every time a new session is created, a new page is created, a new dialog is created, etc. personally I think the “savings” you think you’re going to get will be offset by having to remember to implement this code every time a new view is created.
I suggest a different approach.
When creating a feature that needs to be protected, you call a method that checks to see if the current user is in a certain role to determine if it should be enabled. Something like:
If security.userHasRole("manager") then
Deletebutton.enabled = true
End if
That was what I was thinking. But having now received all of this input, I’ve found myself completely confused and not having any clear understanding of what are now best practices, particularly for Web apps. And, how to implement them!
Anyone know a place where I can get some text to read/understand and a simple sample for how to do it in Xojo.
I assume that when a user access your app, they are presented with a login screen. Once they complete that, they are redirected to a main screen. How is that screen set up? What does it do?
I’m hoping the answer to that question will not be, reconfigure your entire UI.