view & permissions

[dan7]

Hi

I have a small problem with a view part of mvc, when the view consists of some smaller chunks dependent on the user permissions.

I use just a php as a template language and render views from within the controller.

I see 2 scenarios (I'm using 1st now),
1. I just check perms in the view itself, like

PHP Code:

<div
    <form... >

    <label>1</label>
    <input type=text >

    <?php if ($this->registry->Auth->hasAccess('blabla')): ?>

    <label>2</label>
    <input type=text >

    <?php endif; ?>
    
    <?php if ($this->registry->Auth->hasAccess('xxx')): ?>

    <label>3</label>
    <input type=text >

    <?php endif; ?>

    <label>4</label>
    <input type=text >

    </form>

</div>

2. I create the views for different scenarios and render them, while checking perms in the controller.

The first option is quite simple, while the 2nd would require much more work, especially when something changes (and when there are more variants)

What do you do in such cases?

[dan7]

nobody?

[Dr Livingston]

> , while checking perms in the controller.

I wouldn't put the responsibility in the Controller, as that isn't where it should be; To check your permissions within the View would be valid I suppose, but provided that, that responsibility is encapsulated...

At the moment, you don't encapsulate that validation; Pass in a Helper to the View class it's self, and do it from there, ie

PHP Code:

final class QPage_View extends QPage {
        public function __construct( /* interface */ $validator ) {
            $this -> validator = $validator;
        }
        
        // ...
        
        public function hasPermission() {
            // you may have parameters to pass?
            // if so, encapsulate them with a Model,
            // and pass that Model to the View, rather 
            // than have those parameters in the template
            return $this -> validator -> has Permission();
        }
        
        // ...
    } 


Doesn't need to be complex; Don't design for something you may never need... See how that works for you and get back

[dan7]

> , while checking perms in the controller.

I wouldn't put the responsibility in the Controller, as that isn't where it should be; To check your permissions within the View would be valid I suppose, but provided that, that responsibility is encapsulated...

At the moment, you don't encapsulate that validation; Pass in a Helper to the View class it's self, and do it from there, ie

Yes, I have a separate class, whose the only role is to hold the permission level for logged in user and some public methods to read/check those permissions. So, it's just an object in the registry used in similar ways to sessions or db.

As usual, I don't really understand your example How would I encapsulate it ? Could you elaborate a bit?

BTW. I don't have any View class at all. My view is just a procedural template.

Thanks

[Dr Livingston]

> How would I encapsulate it ?

Well, the example I posted, the responsibility was encapsulated within the View it's self, ie

PHP Code:

public function hasPermission() { ... 


Where as you are accessing it directly via a Registry? I kind of disapprove of giving the View that much knowledge; It should only be aware of Model(s) only, but that is my own personal view, and not an authoritive statement

The point of encapsulating the responsibility is that at the moment, you are limited to one point of access; That Registry. If you wanted to later change to something else, you couldn't because you'd have to then go and change all your templates?

Whilst if you encapsulate within the View, you wouldn't need to change the template, nor the View it's self - you would just pass in a different Validator, to put a name to it, but it's not really a validator as such...

The responsibility moves from the template in your case, to this validator therefore

[Czaries]

Sometimes when I am under a deadline I cheat and just check a session variable in the view, like so:

PHP Code:

<div>
    <form... >

    <label>1</label>
    <input type=text >

    <?php if (isset($_SESSION['userAuth'])): ?>

    <label>2</label>
    <input type=text >

    <?php endif; ?>

    <label>3</label>
    <input type=text >

    </form>

</div>

As long as I am not writing session variables in the view in that way, I can cope with it