I am kind of looking for clear solution to give Read only access certain users in the application I am working.
This application has been built and is working fine in production. Now, users have come up with new requirement to allow certain users to access application in readonly mode.
The application is built using Spring framework with AS400 and Oracle as DB. The application server used is Weblogic 7.0.
In this application, after user successfully logs into the system, "user" object is created with application specific information and job codes for that user retrieved from some other system.
With current requirements there are no intermediate access privileges required. Like ADD_ONLY/UPDATE_ONLY or there is no requirement of autherising user to acess particular module/part of the system. User can have either FULL or READ only access.
I was thinking of adding one more attribute called accessPrivileges to User object which would be contain either READ_ONLY or FULL_ACCESS. On sucessfully login I will check his job code and assign one privilege. In each JSP, Check for this flag and if readonly disable submit button.
I don't want to hardcode these job codes/accessPrivileges in the code in order to avoid code changes if something change in furture. I want the job codes and access privileges to be in some file or DB so that the program checks for them at runtime.
Please suggest me what would be the best solution for such kind of a problem.
The solution sounds good. Maybe a better one would be to have all the inputs READ-ONLY for a read-only user and also the Submit button absent. This way the user will not get pissed off after modifying the data and not finding a way to submit it.
Are you using Struts? If you are you can use the role attribute that user has or create a jsp tag that can show only a as readonly if that is the role the user has. I have done this in the past and seems to work well.