antville/code/MemberMgr/securityFunctions.js

/**
 * permission check (called by hopobject.onRequest())
 * @param String name of action
 * @param Obj User object
 * @param Int Membership level
 * @return Obj Exception object or null
 */
function checkAccess(action, usr, level) {
   var deny = null;
   try {
      switch (action) {
         case "main" :
            checkIfLoggedIn(this.href(action));
            this.checkEditMembers(usr, level);
            break;
         case "subscriptions" :
            checkIfLoggedIn(this.href(action));
            break;
      }
   } catch (deny) {
      res.message = deny.toString();
      res.redirect(this._parent.href());
   }
   return;
}

/**
 * check if user is allowed to edit the memberlist of this site
 * @param Obj Userobject
 * @param Int Permission-Level
 * @return String Reason for denial (or null if allowed)
 */
function checkEditMembers(usr, level) {
   if ((level & MAY_EDIT_MEMBERS) == 0)
      throw new DenyException("memberEdit");
   return;
}
- added checkAccess() that is called by onRequest() to check if a user is allowed to request a certain action 2003-08-02 12:07:08 +00:00			`/**`
			`* permission check (called by hopobject.onRequest())`
			`* @param String name of action`
			`* @param Obj User object`
			`* @param Int Membership level`
			`* @return Obj Exception object or null`
			`*/`
			`function checkAccess(action, usr, level) {`
			`var deny = null;`
rewrote permission framework: renamed isXxxDenied() to checkXxx(), all check-methods now throw a DenyException object instead of returning an Exception object 2003-09-07 21:02:26 +00:00			`try {`
			`switch (action) {`
			`case "main" :`
			`checkIfLoggedIn(this.href(action));`
			`this.checkEditMembers(usr, level);`
			`break;`
			`case "subscriptions" :`
			`checkIfLoggedIn(this.href(action));`
			`break;`
			`}`
			`} catch (deny) {`
			`res.message = deny.toString();`
			`res.redirect(this._parent.href());`
- added checkAccess() that is called by onRequest() to check if a user is allowed to request a certain action 2003-08-02 12:07:08 +00:00			`}`
rewrote permission framework: renamed isXxxDenied() to checkXxx(), all check-methods now throw a DenyException object instead of returning an Exception object 2003-09-07 21:02:26 +00:00			`return;`
- added checkAccess() that is called by onRequest() to check if a user is allowed to request a certain action 2003-08-02 12:07:08 +00:00			`}`

Initial revision 2001-06-18 08:57:33 +00:00			`/**`
replaced hardcoded messages with getMsg() 2002-06-26 17:20:41 +00:00			`* check if user is allowed to edit the memberlist of this site`
- security-functions now demand user-object as argument 2001-12-10 23:22:58 +00:00			`* @param Obj Userobject`
req.data.memberlevel is now passed as second argument to security-functions. with this they can also be used even when there's no request-object present (scheduler, bloggerApi) 2003-01-02 18:55:32 +00:00			`* @param Int Permission-Level`
- security-functions now demand user-object as argument 2001-12-10 23:22:58 +00:00			`* @return String Reason for denial (or null if allowed)`
Initial revision 2001-06-18 08:57:33 +00:00			`*/`
rewrote permission framework: renamed isXxxDenied() to checkXxx(), all check-methods now throw a DenyException object instead of returning an Exception object 2003-09-07 21:02:26 +00:00			`function checkEditMembers(usr, level) {`
req.data.memberlevel is now passed as second argument to security-functions. with this they can also be used even when there's no request-object present (scheduler, bloggerApi) 2003-01-02 18:55:32 +00:00			`if ((level & MAY_EDIT_MEMBERS) == 0)`
rewrote permission framework: renamed isXxxDenied() to checkXxx(), all check-methods now throw a DenyException object instead of returning an Exception object 2003-09-07 21:02:26 +00:00			`throw new DenyException("memberEdit");`
			`return;`
Initial revision 2001-06-18 08:57:33 +00:00			`}`
- removed check if user is blocked (will be done with onRequest()) - changes necessary due to new role-scheme 2002-01-22 20:21:13 +00:00