Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Enterprise & Remote Computing >> Web Tier APIs

MVC and user levels, how to do ?

Hello,

I have created my own MVC model (I could have used a framework but I wanted to build one for my own first to understand it better) but I am still stuck with a question inside my head.

Where do you arrange the user levels?

For example, if you have one view, the main page, where do you check wether the user may see the admin panel that is also on that page.

My guess is inside the view through some sort of login bean with predefined user level codes.

But this creates a dependency on the codes in my eyes, although the models and controllers have nothing to do with these codes, it does create a connection between the view and the database (since the user level codes are stored there).

Is this acceptable and maintainable for in the future, or is there a better/different way to do this?

Thank you

[856 byte] By [radicjesa] at [2007-11-27 2:26:26]
«« How to deserialize JTextField !!
»» Problem with Collision
# 1
You should not build it in the framework, but in it's actual implementation. Depending on the purpose you can do a role check in the view or in the controller. Preferably not in the model.
BalusCa at 2007-7-12 2:35:47 > top of Java-index,Enterprise & Remote Computing,Web Tier APIs...
# 2

Thank you for your answer.

I have defined two checks inside my application.

One is in the controller, that checks wether the user has access to a specific action, so nothing will be done if the user has no rights to the action at all.

For example, a showusers action that displays multiple users on a page.

This will send the user to an error page since this is not possible at all if everything is done right inside the view.

So this should only be possible when a user manually types in the url possibly to "hack" the site.

Second one is in the view for more specific things inside an action.

For example the main page and the admin panel.

This does not guide you to any error page but just does not display the data that you are not allowed to do.

I think this is a good approach, plus I am going to use one central class or xml file where all the codes (specific for an action) for user levels are defined.

When a user his rights are defined, it should get the appropriate code from this class or xml file so no inconsistency problems arise.

The reason why I am writing what I am thinking now I do not know, but it helps me think better and maybe it helps some other people think better :p

radicjesa at 2007-7-12 2:35:47 > top of Java-index,Enterprise & Remote Computing,Web Tier APIs...
Enterprise & Remote Computing
Web Tier APIs

Enterprise & Remote Computing New Topic

Enterprise & Remote Computing Hot Topic

Enterprise & Remote Computing

All Classified