<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    On 21/05/2012 20:43, Andrew Berman wrote:
    <blockquote
cite="mid:CAEVpa77SiwHARujjh-_+8W+DfDfzO3AD6YBBapks68wCXX6fOg@mail.gmail.com"
      type="cite">Does anyone have any thoughts on this?  I was thinking
      about just starting a new process every time I access the API and
      then store the current user in there.  Any thoughts?
      <div><br>
      </div>
    </blockquote>
    There are lots of ways to do this, so I guess it just depends.
    Passing the user about in your various functions might seem
    bothersome, but it is 'pure' - and that has merit. If you're holding
    on to a user in either a request or session like object, then
    putting the security context information into the request/session
    data structure seems like a perfectly sane approach to me. Even
    though in J2SE you'd make a static call such as
    SecurityContextHolder.getCurrentUser you can still find this
    information tucked away in context data, for example, in web apps
    and the like.<br>
    <br>
    Interestingly enough, those static calls are often resolved under
    the covers but reading a thread local variable, so having a process
    per activity/request and pushing the user data into the process
    dictionary might not be the wrong thing to do after all. Just bare
    in mind that you can't make *safe* use of this unless you're
    absolutely certain whichever code executes get_current_user is
    definitely running in the same process.<br>
    <br>
    So you have two choices here really:<br>
    <meta http-equiv="content-type" content="text/html;
      charset=ISO-8859-1">
    <pre><div class="line" id="LC28"><span class="nf">around_advice</span><span class="p">(</span><span class="nl">#annotation</span><span class="p">{</span><span class="n">data</span><span class="o">=</span><span class="p"></span><span class="nv"></span><span class="p">{mode, pdict}},</span> <span class="nv">M</span><span class="p">,</span> <span class="nv">F</span><span class="p">,</span> <span class="nv">Inputs</span><span class="p">)</span> <span class="o">-></span></div><div class="line" id="LC30">    <span class="k">case</span> get<span class="nv">(</span><span class="p">current_user)</span> <span class="k">of</span></div><div class="line" id="LC31">        undefined<span class="n"></span> <span class="o">-></span></div><div class="line" id="LC32">            handle_restricted<span class="p">(M, F, Inputs);</span></div><div class="line" id="LC33">   &nbsp
;    <span class="p">#user{}</span><span class="p"></span> <span class="o">-></span></div><div class="line" id="LC34">            <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><span class="nn">annotation</span><span class="p">:</span><span class="n">call_advised</span><span class="p">(</span><span class="nv">M</span><span class="p">,</span> <span class="nv">F</span><span class="p">,</span> <span class="nv">Inputs</span><span class="p">)</span>    </div><div class="line" id="LC40">    <span class="k">end</span><span class="p">.</span></div></pre>
    Or you could you ets/mnesia/gen_server or whatever instead of the
    process dictionary - these are *safer* in that they're less likely
    to surprise you if accessed from some 'other' process than the one
    you expected. Another approach would be to store the index (1 bound)
    of the user record in the argument set for the annotation, like so:<br>
    <pre><div class="line" id="LC28"><span class="nf">around_advice</span><span class="p">(</span><span class="nl">#annotation</span><span class="p">{</span><span class="n">data</span><span class="o">=</span><span class="p"></span><span class="nv"></span><span class="p">{user_record_idx, Idx}},</span> <span class="nv">M</span><span class="p">,</span> <span class="nv">F</span><span class="p">,</span> <span class="nv">Inputs</span><span class="p">)</span> <span class="o">-></span></div><div class="line" id="LC30">    User = lists:nth(Idx, Inputs),
    <span class="k">case</span> check<span class="nv">(User</span><span class="p">)</span> <span class="k">of</span></div><div class="line" id="LC31">        restricted<span class="n"></span> <span class="o">-></span></div><div class="line" id="LC32">            handle_restricted<span class="p">(M, F, Inputs);</span></div><div class="line" id="LC33">        <span class="p">ok</span><span class="p"></span> <span class="o">-></span></div><div class="line" id="LC34">            <span class="nn">annotation</span><span class="p">:</span><span class="n">call_advised</span><span class="p">(</span><span class="nv">M</span><span class="p">,</span> <span class="nv">F</span><span class="p">,</span> <span class="nv">Inputs</span><span class="p">)</span>    </div><div class="line" id="LC40">    
<span class="k">end</span><span class="p">.</span></div></pre>
    Of course you don't have to use 'around_advice' - if you just need
    'before_advice' to prevent unauthorised access, then that will work
    fine too. HTH - and don't forgot to submit any issues/bugs you come
    across! :)<br>
    <br>
    Cheers,<br>
    Tim<br>
    <br>
    <blockquote
cite="mid:CAEVpa77SiwHARujjh-_+8W+DfDfzO3AD6YBBapks68wCXX6fOg@mail.gmail.com"
      type="cite">
      <div>Thanks again!<br>
        <br>
        <div class="gmail_quote">
          On Sat, May 19, 2012 at 12:38 PM, Andrew Berman <span
            dir="ltr"><<a moz-do-not-send="true"
              href="mailto:rexxe98@gmail.com" target="_blank">rexxe98@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            Hey all,
            <div><br>
            </div>
            <div>I'm trying to mimic (as much as I can) what JEE 6 does
              with security on domain objects.  Essentially what I'd
              like to do is create an annotation using Tim's awesome
              annotation code (<a moz-do-not-send="true"
                href="https://github.com/hyperthunk/annotations"
                target="_blank">https://github.com/hyperthunk/annotations</a>)
              and test on a user's roles.  The one issue I'm wrestling
              with is how to get the user into the annotation.  The
              obvious way is to have every function I put the annotation
              on take in a user record and then loop through the
              arguments of the function looking for the user record.
               That way doesn't seem very elegant to me, though.  I
              really want to just say something like User =
              get_current_user(...).  Has anyone tackled this sort of
              issue or have any advice on how to handle it in an Erlang
              safe manner?</div>
            <div><br>
            </div>
            <div>Thanks,</div>
            <div><br>
            </div>
            <div>Andrew</div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
erlang-questions mailing list
<a class="moz-txt-link-abbreviated" href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a>
<a class="moz-txt-link-freetext" href="http://erlang.org/mailman/listinfo/erlang-questions">http://erlang.org/mailman/listinfo/erlang-questions</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>