[baseten-users] Client-server app (BaseTen Bug found?)

Daniel Brajkovic daniel at brajkovic.com
Wed Jul 8 22:47:14 EEST 2009 

OK.  Please ignore my previous request for a tutorial.

I figured out how to limit current_user to her own records on the  
client side.  My biggest stumbling block was a problem with using  
relations in the BaseTen framework.

It seems that 1.7 has an issue with Relations. When I reverted to  
1.6.2, thankfully all was well.
For example, (I tried this lots of different ways, so I apologize if I  
leave anything out):

Two tables with a one-to-many relationship between them. (Account<--- 
 >>Users)
I dropped a BXDatabaseContext (ctx) and 2  
BXSynchronizedArrayControllers in the NIB.
Setup the context properly
Bound the databaseContext of both controllers to the ctx
Put in the table names
Uncheck autofetch from Users
and bound Users to Account.selection.users
Created 2 tables and add/delete buttons for each controller
Created two accounts...No problem
Selected an account and Click add to add a User. At first it looks  
like no problem, until you select another account and then the first.  
your record is gone.
Click Add again and it shows up

After looking at the db tables, I discovered what is happening. When I  
click add, (the add's action is connected to Users.add), it creates a  
record that is NOT related to the Account. Also when you click add,  
the table reflects then ENTIRE Users table not just  
Account.selection.users. The DB tables show that there is no  
account_id on the new Users.

I reverted to 1.6.2, and most everything worked as expected.  Click  
add, and a new user is added which is related to the account.

The one weird thing that happens in both versions is that when you  
send the arrayController an action to fetch, all records are fetch not  
just the related records.  In other words, in my example, my table  
shows Account.selected.users, but after i click "fetch:", then shows  
all users for all accounts.

I searched the ticked system as best I could but couldn't find  
anything related to these issues.



On Jul 7, 2009, at 5:03 AM, Marko Karppinen wrote:

> On 7 Jul 2009, at 00:21, Daniel Brajkovic wrote:
>> My goals are 1) encrypted communication and 2) ability to make sure  
>> that only instances of my app are connecting to my db. Someone with  
>> PGAdmin should not be able to connect even if they learned of a PG  
>> role and password.
>
>
> Accomplishing the second goal in a secure fashion does not sound  
> feasible to me.
>
> You should define your schema and its permissions so that a user  
> could access Postgres directly and still not gain access to anything  
> they shouldn't see.
>
> You mentioned earlier that each customer has data that only they  
> should see. You have a couple of options:
>
> 1) Customer-specific schema or database. This is easiest from a  
> development perspective, but feasibility depends on the number of  
> customers you are planning for.
> 2) View-only access. You only grant your users access to views of  
> your data that are qualified with a clause like WHERE user =  
> current_user, and write the corresponding rules that allow inserts/ 
> updates/deletes to these views. You can enable these views in  
> BaseTen Assistant just like a physical table.
>
> Both approaches work fine with BaseTen.
>
> Marko
>
>
> _______________________________________________
> baseten-users mailing list
> baseten-users at lists.basetenframework.org
> http://lists.basetenframework.org/mailman/listinfo/baseten-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basetenframework.org/pipermail/baseten-users/attachments/20090708/cc42f5e8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
URL: <http://lists.basetenframework.org/pipermail/baseten-users/attachments/20090708/cc42f5e8/attachment.bin>

More information about the baseten-users mailing list