Looks nice!
Can you provide any guidance for enforcing security?
And are you still using Box[LiftResponse]?
If so, I was unclear what
would happen if an Empty box or Failure box was returned.
(Considering all the available subclasses to LiftResponse, I was
puzzled as to why the Box wrapper exists for this -- but perhaps I am
missing something.)
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to lif...@googlegroups.com.
To unsubscribe from this group, send email to liftweb+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
On Apr 28, 2:44 pm, David Pollak <feeder.of.the.be...@gmail.com>
wrote:
> On Wed, Apr 28, 2010 at 12:40 PM, aw <anth...@whitford.com> wrote:Specifically, I am referring to enforcing URL level access
> > Looks nice!
>
> > Can you provide any guidance for enforcing security?
>
> What do you mean by security? Do you mean authentication? Do you mean URL
> level access? Do you mean access to a given resource (e.g., is a task
> accessible to a user?)
restrictions. So, for example, if I have a REST URL like "/api/foo"
and let's say that I need to have the "FooAdmin" role to execute/
access the URL, what is the "best practice"? I am wondering if it
would make sense to build this kind of declarative security into your
DSL. I have some existing code that simply does something like the
following to enforce security:
case r @ Req(...) if hasRole("FooAdmin") => foo(r)
But me thinks that this isn't the smartest strategy...
Another nuisance issue that I run into is type validation. So let's
say that my REST pattern is something like /api/foo/id where id needs
to be a positive numeric. I ended up writing some routines like
"isPositiveNumeric(x)" and use the case filtering again... Would be
nice to see some basic validation routines built into Lift (or
Scala). Since toInt/toLong exists, but isInt/isLong does not
, this
leads me to believe that I should just call toInt/toLong and then use
exception handling in the event of an error... The semantics for
exception handling need to be clearly documented -- what happens if my
dispatch throws an exception?
serveJx {See the Info(info) thing. That's an extractor. Basically, the third element of the list is passed to the unapply method in the Info object:
case Get("api" :: "info" :: Info(info) :: _, _) => Full(info)
}
serveJx {And if the user can be found based on the value of the third element in the list, the pattern will succeed and the user variable will contain the record pulled back from the database.
case Get("api" :: "info" :: User(user) :: _, _) => Full(info)
}
I plan to take a closer look at my REST api and try to integrate this
new stuff when 2.0-M5 is released and see what issues fall out.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to lif...@googlegroups.com.
To unsubscribe from this group, send email to liftweb+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
I have an url structure like this:
/api/blog/<entryId>/comment/<commentId>
Is it possible to pass the result of de entryId extractor to the
commentId extractor so that I can check if entry and comment really
belong to each other?
thanks, works just fine with the guard!