|
Lets first remember the check points we want to implement on our web application to avoid unauthorized access.
| • | CAN_MAINTAIN_CUSTOMER_LIST |
The "CAN_MAINTAIN_CUSTOMER_LIST" check point is related to the "Customers" page. We want only the users that has the authority to pass this check point access to the "Customers" page.
Steps:
| 1. | Open the "Customers" page. |
| 2. | Display the properties of the page in the property editor. |
| 3. | Switch to the "Functional" tab. |
| 4. | Enter "CAN_MAINTAIN_CUSTOMER_LIST,index" to the "Check Point" property
Before displaying this page, the MoreMotion AF will first check whether the user is currently logged in. If not, it will be redirected to the "index" page where login form exists. If the user is already logged in, MoreMotion will check whether the role of the user has the "CAN_MAINTAIN_CUSTOMER_LIST" check point. If yes, the page will be displayed, otherwise he will be displayed an error page that reports the insufficient authority. |
The pages related to this check point are "CurrentOrder" and "Products".
We should fully restrict the access to "CurrentOrder" page.
Steps:
| 1. | Open the page "CurrentOrder" |
| 2. | Display the properties of the page in the property editor. |
| 3. | Switch to the "Functional" tab. |
| 4. | Enter "CAN_CREATE_ORDER,index" to the "Check Point" property
For the "Products" page; we want to allow the users to see the products but we don't want them to use "Add to Order" functionality. |
| 6. | Select [Add to Order] button and focus to "Display If" property on the functional tab of the property editor. |
| 7. | Enter "boolean(/mor_security_userinfo_main.checkpoints.CAN_CREATE_ORDER)" |
The command button will not be displayed on the page if this XSL expression returns "false". The expression checks the data source of "Security" component to see that the user has the "CAN_CREATE_ORDER" check point.
The statement will result in "false" if the user in not logged in or does not have the check point. You can do the same wherever you want to hide an option or a command from the unauthorized users.
If you prefer to disable the [Add to Order] button instead of hiding it in case of insufficient authority, then specify "$vof(not(boolean(/mor_security_userinfo_main.checkpoints.CAN_CREATE_ORDER)))" in the "Disabled" property.
Steps:
| 1. | Open the "Orders" page. |
| 2. | Display the properties of the page in the property editor. |
| 3. | Switch to the "Functional" tab. |
| 4. | Enter "CAN_SEE_ORDER_LIST,index" to the "Check Point" property |
Steps:
| 1. | Open the "OrderDetails" page. |
| 2. | Select "Delete Order" button and focus to "Display If" property on the functional tab of the property editor. |
| 3. | Enter "boolean(/mor_security_userinfo_main.checkpoints.CAN_DELETE_ORDER)" |
Now you can build the project and check the result.
| 
