openinteract-help

[Openinteract-help] Per-field permissions in SPOPS?

[Vsevolod (S. I. <si...@cs...>]

Hi,

Has anyone tried to implement in SPOPS giving different users different 
write permissions on different fields. Say, if we have a table of 
employees, a) the owner of each record is allowed to update his phone 
number, b) people in HR are allowed to update most other fields, but c) 
no one is allowed to update the employee number as it's autogenerated.

I have not found anything like this in the code or in the mailing list 
archives. If this functionality is absent in SPOPS, but would be desired 
and easy to implement, I would not mind adding it.

The reason this came up is that in my web apps I try to be generic in 
how I translate HTML form fields into objects. For a given table, the 
form fields describing objects in this table have the same name as table 
column names. However, depending on who is logged in, not all fields 
should always be saved. This contradicts somewhat the idea of 
schema-independent persistent code, but I think it's necessary in the 
real world.

Thanks,
Simon
-- 

Simon (Vsevolod ILyushchenko)   si...@cs...
				http://www.simonf.com

America's business leaders simply don't want to think
about complex technology issues - they want to think
about golf. Microsoft promises them that.
			Andrew Grygus, www.aaxnet.com

Re: [Openinteract-help] Per-field permissions in SPOPS?

[Chris W. <ch...@cw...>]

* Vsevolod (Simon) Ilyushchenko (si...@cs...) [031106 16:22]:
> Has anyone tried to implement in SPOPS giving different users different 
> write permissions on different fields. Say, if we have a table of 
> employees, a) the owner of each record is allowed to update his phone 
> number, b) people in HR are allowed to update most other fields, but c) 
> no one is allowed to update the employee number as it's autogenerated.

I've actually actively campaigned *against* this. I had a bad
experience with this about five years ago and (possibly) never
recovered. IME if you're doing field-level security it's probably
better to split off certain fields into separate objects.

Part of this is because it's a HUGE PITA for non=devlopers to maintain
the necessary security to make this happen. Another part is just
pragmatic -- it's a PITA to track this stuff. 

One separate thing to think about -- model groups of fields in the
same DB record as separate objects. You can do this by  specifying the
'field' elements for only certain parts of the object in each class.

Hope this makes sense,

Chris

-- 
Chris Winters (ch...@cw...)
Building enterprise-capable snack solutions since 1988

Re: [Openinteract-help] Per-field permissions in SPOPS?

[Vsevolod (S. I. <si...@cs...>]

Chris,

Thanks for the answer.

> I've actually actively campaigned *against* this. I had a bad
> experience with this about five years ago and (possibly) never
> recovered. IME if you're doing field-level security it's probably
> better to split off certain fields into separate objects.

This will probably work for me.

> One separate thing to think about -- model groups of fields in the
> same DB record as separate objects. You can do this by  specifying the
> 'field' elements for only certain parts of the object in each class.
> 
> Hope this makes sense,

Sorry, the last advice does not - I am pretty new to SPOPS. Can you give 
me a short example?

Thanks,
Simon
-- 

Simon (Vsevolod ILyushchenko)   si...@cs...
				http://www.simonf.com

America's business leaders simply don't want to think
about complex technology issues - they want to think
about golf. Microsoft promises them that.
			Andrew Grygus, www.aaxnet.com

Re: [Openinteract-help] Per-field permissions in SPOPS?

[Vsevolod (S. I. <si...@cs...>]

	
> One separate thing to think about -- model groups of fields in the
> same DB record as separate objects. You can do this by  specifying the
> 'field' elements for only certain parts of the object in each class.

Chris,

Never mind my request - I think I get it. But this won't work together 
with field_discover, right?

Simon
-- 

Simon (Vsevolod ILyushchenko)   si...@cs...
				http://www.simonf.com

America's business leaders simply don't want to think
about complex technology issues - they want to think
about golf. Microsoft promises them that.
			Andrew Grygus, www.aaxnet.com

Re: [Openinteract-help] Per-field permissions in SPOPS?

[Chris W. <ch...@cw...>]

* Vsevolod (Simon) Ilyushchenko (si...@cs...) [031107 14:27]:
> 	
> >One separate thing to think about -- model groups of fields in the
> >same DB record as separate objects. You can do this by  specifying the
> >'field' elements for only certain parts of the object in each class.
> 
> Chris,
> 
> Never mind my request - I think I get it. But this won't work together 
> with field_discover, right?

Correct. You'd have to specify the fields manually. Fortunately this
is a one-time operation :-)

Chris

-- 
Chris Winters (ch...@cw...)
Building enterprise-capable snack solutions since 1988