• The Nerve (unregistered)

    I hope no one wants to add an "Emperor" role for Senator Palpatine.

  • a spam bot (unregistered)

    Or having an employee named 'Custer'

  • Steven (unregistered)

    THIRD

  • by (unregistered)

    This seems like only a minor wtf based on your buttumptions about the user name and roles. Yes, it will be difficult (without some creativity) to assign multiple roles to induhviduals. But assuming that users are not able to select their own usernames (something that's always been based on my name at every company, but I wasn't given a choice about it), you could very easily have single roles prefixed that would match properly.

    For example, Manager Lyle could be MGR_lyle. If your username changes on promotion, so what? Obscure Service Technician Bob would be OT6_Bob. Again, there would be many more roles, but considering the domain space, what if there's only the need for 3 roles? No need to over-engineer a solution.

  • frits (cs)

    What's the problem? Just implement Hungarian notation user names. Do I have to think of everything around here?

  • Admiral Nelson (unregistered)

    I don't see the problem. It's very convenient for me.

  • anoldhacker (unregistered) in reply to Admiral Nelson
    Admiral Nelson:
    I don't see the problem. It's very convenient for me.

    Thread won in six. My hat is off to you, sir!

  • Roo Cockatoo (unregistered) in reply to Admiral Nelson
    Admiral Nelson:
    I don't see the problem. It's very convenient for me.

    Seconded!

  • by (unregistered)

    I don't think this is an appropriate use of the term "canary." A canary (as used in the coal-mine analogy) is something that will die of lethal fumes before it reaches dangerous levels for humans. The "canary" in a programming environment is someone so incompetent that you don't have to worry about your job being in jeopardy until that person is fired (if you don't know who the canary is, the canary is you). How does this code fit that example?

    This reminds me more of the prison guard on Idiocracy.

    Not Sure:
    I think there must be some mistake. I was supposed be getting out of prison today.
    Prison guard smacks Not Sure
    Prison Guard:
    You're in the wrong line, dumbass!
  • Bert Glanstron (unregistered) in reply to Admiral Nelson
    Admiral Nelson:
    I don't see the problem. It's very convenient for me.

    Dear Admiral Nelson,

    In case you can’t tell, this is a grown-up place. The fact that you insist on using your ridiculous handle clearly shows that you’re too young and too stupid to be using the admin role.

    Go away and grow up.

    Sincerely, Bert Glanstron

  • zelmak (cs) in reply to Bert Glanstron
    Bert Glanstron:
    Dear Admiral Nelson,

    In case you can’t tell, this is a grown-up place. The fact that you insist on using your ridiculous handle clearly shows that you’re too young and too stupid to be using the admin role.

    Go away and grow up.

    Sincerely, Bert Glanstron

    /me wrestles that meme to the ground and beats it to death with a hamster.

  • SARUMANATEE (unregistered) in reply to Bert Glanstron
    Bert Glanstron:
    Admiral Nelson:
    I don't see the problem. It's very convenient for me.

    Dear Admiral Nelson,

    In case you can’t tell, this is a grown-up place. The fact that you insist on using your ridiculous handle clearly shows that you’re too young and too stupid to be using the admin role.

    Go away and grow up.

    Sincerely, Bert Glanstron

    It’s me, SARUMANATEE from the FIDONet of yore! My ire will cast dispersion on you and your puny, buster brown loafers. Now it is I who shall ban you. Mwa ha ha ha ha! Where’s your FIDONet kingdom now, Bert Glanstron?

  • Bert Glandstorm (unregistered) in reply to Bert Glanstron
    Comment held for moderation.
  • UNR_JohnSmith (unregistered)

    I propose we all adopt this convention here. Use "UNR_" if you're unregistered, "REG_" if you're registered, "SPM_" if you're a spammer, and "TRL_" if you're a troll. Then we can do role-based filtering!

  • Greg (unregistered) in reply to Bert Glandstorm
    Comment held for moderation.
  • jonsjava (cs)

    Why is it that I keep getting this image in my head:

    This code is used on a financial website. Some granny is on her computer, trying to figure out how to send a large sum of money to that nice prince from Algeria, (She's not too good at names), when she stumbles upon this:

    Login: (login box) Password: (password box)

    She promptly enters "SuperGranny", because her grandson calls her that, so she requested that as her name. After entering her password (Snookums1902 -- her cat's name, and her year of birth), she clicks on the "enter" button, and she's on.

    After logging on, she is treated with a lovely collection of links that she tries to figure out for herself, but gives up after an hour of trying to decipher "Development Window -- Delete test users" -- which is all the users, because this is supposed to be seen only in a lab environment, or by the Super Admin....................

    Maybe I have too active an imagination.

  • Anonymous (unregistered) in reply to by
    by:
    This seems like only a minor wtf based on your buttumptions about the user name and roles. Yes, it will be difficult (without some creativity) to assign multiple roles to induhviduals. But assuming that users are not able to select their own usernames (something that's always been based on my name at every company, but I wasn't given a choice about it), you could very easily have single roles prefixed that would match properly.

    For example, Manager Lyle could be MGR_lyle. If your username changes on promotion, so what? Obscure Service Technician Bob would be OT6_Bob. Again, there would be many more roles, but considering the domain space, what if there's only the need for 3 roles? No need to over-engineer a solution.

    Right, it could work. But the point is that it's a bad implementation of role-based access. There are a number of flaws in that design, only one of which is solved by assigning roles such as MGR_.

    What happens if the system has a history trail based on the username and the username is changed? So we need to keep history trails based on the ID instead of the username? So we're already abstracting a lookup to determine an ID based on username... so not adding a role table is just silly at that point.

    What happens when you decide that you want to have different access groups? Say you have 10 modules in your site and want to be able to grant employees access to update different modules. Suppose further that you have 1000 employees and they all need access to different groupings of modules? Now you need to create a ton of prefixes to cover all of those scenarios. Once you determine the prefixes, you need to hardcode each code into the permissions code.

    OR

    Have a table with usernames, a table with roles, and a table to store the pairings. Now you can grant permissions to a role for each module seperately, and then add as many roles to a user as needed. It's also easy to add additional roles, remove roles, rename them, etc. because they are based off of an abstraction of the actual username.

    Happy Monday.

  • Knux2 (unregistered)

    My Roomba has root privileges, for some reason...

  • Anon (unregistered) in reply to jonsjava
    jonsjava:
    After entering her password (Snookums1902 -- her cat's name, and her year of birth).

    Wow! That's one old cat.

  • Anon (unregistered) in reply to by
    by:
    This seems like only a minor wtf based on your buttumptions about the user name and roles. Yes, it will be difficult (without some creativity) to assign multiple roles to induhviduals. But assuming that users are not able to select their own usernames (something that's always been based on my name at every company, but I wasn't given a choice about it), you could very easily have single roles prefixed that would match properly.

    For example, Manager Lyle could be MGR_lyle. If your username changes on promotion, so what? Obscure Service Technician Bob would be OT6_Bob. Again, there would be many more roles, but considering the domain space, what if there's only the need for 3 roles? No need to over-engineer a solution.

    Agreed. It's hardly an elegant solution, and obviously flawed in people chose their own username, but lots of (especially corporate) systems don't let you pick (or change) your user name.

  • Clintp (unregistered)

    Made slightly more difficult if you don't have windows on your garage door.

    A simple fix by the manufacturer could avoid this, of course, by making the latch flip the other way. Then there's nothing to hook on to.

  • Clintp (unregistered) in reply to Clintp

    How'd this go on the wrong thread? Please delete.

  • The Nerve (unregistered) in reply to Anonymous
    Anonymous:
    by:
    This seems like only a minor wtf based on your buttumptions about the user name and roles. Yes, it will be difficult (without some creativity) to assign multiple roles to induhviduals. But assuming that users are not able to select their own usernames (something that's always been based on my name at every company, but I wasn't given a choice about it), you could very easily have single roles prefixed that would match properly.

    For example, Manager Lyle could be MGR_lyle. If your username changes on promotion, so what? Obscure Service Technician Bob would be OT6_Bob. Again, there would be many more roles, but considering the domain space, what if there's only the need for 3 roles? No need to over-engineer a solution.

    Right, it could work. But the point is that it's a bad implementation of role-based access. There are a number of flaws in that design, only one of which is solved by assigning roles such as MGR_.

    What happens if the system has a history trail based on the username and the username is changed? So we need to keep history trails based on the ID instead of the username? So we're already abstracting a lookup to determine an ID based on username... so not adding a role table is just silly at that point.

    What happens when you decide that you want to have different access groups? Say you have 10 modules in your site and want to be able to grant employees access to update different modules. Suppose further that you have 1000 employees and they all need access to different groupings of modules? Now you need to create a ton of prefixes to cover all of those scenarios. Once you determine the prefixes, you need to hardcode each code into the permissions code.

    OR

    Have a table with usernames, a table with roles, and a table to store the pairings. Now you can grant permissions to a role for each module seperately, and then add as many roles to a user as needed. It's also easy to add additional roles, remove roles, rename them, etc. because they are based off of an abstraction of the actual username.

    Happy Monday.

    Or maybe they have uncooperative DBAs. Worked at a place before where there were very tight deadlines and DBAs that were not subject to them. Who wants to come in to work the weekend because the DBAs take 3 days to create the two new tables? Later, when things had calmed down and unit tests were now required for x% coverage of the application, this check of the de-facto standard was introduced.

    I know what you're thinking: this sort of thing should never happen, but don't make the mistake of thinking that you always have the support of upper management.

  • mott555 (cs)

    if (IsInRole("Commenter")) PostComment("Not even close to FRIST");

  • CAPTCHA: nibh (unregistered)

    TRWTF is complete and total violation of OOP?

  • Employee (unregistered)

    I don't see a problem either.

  • Oslo (unregistered) in reply to by
    by:
    The "canary" in a programming environment is someone so incompetent

    I beg to differ. I am pretty sure that whatever you want THIS canary to do, it can.

  • Luca from Pisa University (unregistered)

    Hello! I am an Italian student who studies Computer Science at Pisa University, and I am developing some projects in Java using Java 2 Standard Edition (J2SE) and Java 2 Micro Edition (J2ME for MIDP 1.0 compliant devices). I need to know if there are some Java API (for J2SE and J2ME) to implement roles for a mobile phone.

    How do I implement roles for a mobile phone? What steps must I follow?

    Is there someone who can help me?

    Thank you very much in advance!!

    Luca

  • frits (cs) in reply to Anon
    Anon:
    jonsjava:
    After entering her password (Snookums1902 -- her cat's name, and her year of birth).

    Wow! That's one old pussy.

    FTFY

  • Andrew Pennebaker (unregistered) in reply to Admiral Nelson

    BWAHAHA! My new username is "rootbeer".

  • Anonymous (unregistered) in reply to Luca from Pisa University
    Luca from Pisa University:
    Hello! I am an Italian student who studies Computer Science at Pisa University, and I am developing some projects in Java using Java 2 Standard Edition (J2SE) and Java 2 Micro Edition (J2ME for MIDP 1.0 compliant devices). I need to know if there are some Java API (for J2SE and J2ME) to implement roles for a mobile phone.

    How do I implement roles for a mobile phone? What steps must I follow?

    Is there someone who can help me?

    Thank you very much in advance!!

    Luca

    First, the plastic body of the mobile phone must be rounded on the edges. Then you can implement rolls simply by placing the phone on a steep incline.

  • frits (cs)

    Shouldn't they be using regexes?

  • REG_fjf (unregistered) in reply to UNR_JohnSmith
    TRL_JohnSmith:
    I propose we all adopt this convention here. Use "UNR_*" if you're unregistered, "REG_*" if you're registered, "SPM_*" if you're a spammer, and "TRL_*" if you're a troll. Then we can do role-based filtering!
    I don't see a problem with it.
  • Pentium100 (unregistered) in reply to Anonymous
    Anonymous:
    Say you have 10 modules in your site and want to be able to grant employees access to update different modules. Suppose further that you have 1000 employees and they all need access to different groupings of modules? Now you need to create a ton of prefixes to cover all of those scenarios. Once you determine the prefixes, you need to hardcode each code into the permissions code.

    Simple - assign each module a number (power of 2, so 10 modules would have numbers of 1, 2, 4, ..., 1024). When you want to give a user privileges to certain odules, just add their numbers and place the sum as a prefix to user name, so 16_n00b will have access to module number 5, while 2047_admin will have access to all modules.

  • Bloat Grotsnorf (unregistered) in reply to zelmak
    zelmak:
    Bert Glanstron:
    Dear Admiral Nelson,

    In case you can’t tell, this is a grown-up place. The fact that you insist on using your ridiculous handle clearly shows that you’re too young and too stupid to be using the admin role.

    Go away and grow up.

    Sincerely, Bert Glanstron

    /me wrestles that meme to the ground and beats it to death with a hamster.

    How do you do this on an embedded system with no file system? (/me runs for cover.)

  • fjf (unregistered) in reply to Anon
    Anon:
    jonsjava:
    After entering her password (Snookums1902 -- her cat's name, and her year of birth).

    Wow! That's one old cat.

    Not that old. The cat was just not Y2K compliant.

  • Ike (unregistered) in reply to Luca from Pisa University

    Luca,

    Good news! To implement roles for a mobile phone, just use the code shown in this article.

  • Buzz Killington (unregistered) in reply to Anon
    Anon:
    by:
    This seems like only a minor wtf based on your buttumptions about the user name and roles. Yes, it will be difficult (without some creativity) to assign multiple roles to induhviduals. But assuming that users are not able to select their own usernames (something that's always been based on my name at every company, but I wasn't given a choice about it), you could very easily have single roles prefixed that would match properly.

    For example, Manager Lyle could be MGR_lyle. If your username changes on promotion, so what? Obscure Service Technician Bob would be OT6_Bob. Again, there would be many more roles, but considering the domain space, what if there's only the need for 3 roles? No need to over-engineer a solution.

    Agreed. It's hardly an elegant solution, and obviously flawed in people chose their own username, but lots of (especially corporate) systems don't let you pick (or change) your user name.

    True most don't let you choose your user name. Most systems also allow one person to have multiple roles that are far more fine-grained than Customer, Employee and Admin. The point is that intelligence should never be built into keys - that is the beauty of relational databases.

  • Cliff (unregistered)

    I could see 3 tables, roles and users could well need a junction table to resolve a many-to-many...

    One user has many roles, each role has many users...

  • Anon (unregistered) in reply to frits
    frits:
    Anon:
    jonsjava:
    After entering her password (Snookums1902 -- her cat's name, and her year of birth).

    Wow! That's one old pussy.

    FTFY

    Thank you Mrs. Slocombe.

  • Anonymous (unregistered) in reply to Pentium100
    Pentium100:
    Simple - assign each module a number (power of 2, so 10 modules would have numbers of 1, 2, 4, ..., 1024). When you want to give a user privileges to certain odules, just add their numbers and place the sum as a prefix to user name, so 16_n00b will have access to module number 5, while 2047_admin will have access to all modules.

    Job security in it's finest! SQL Server actually used (maybe still uses) this method to store some details about it's databases. I forget the exact details of which table/field in the master db.

  • Yuval (unregistered) in reply to Admiral Nelson

    You mean "its".

    (this was a commentary on the superfluous apostrophe in the last paragraph of the article. Seriously. "It's development"??)

  • Anon (unregistered) in reply to Buzz Killington
    Buzz Killington:
    True most don't let you choose your user name. Most systems also allow one person to have multiple roles that are far more fine-grained than Customer, Employee and Admin. The point is that intelligence should never be built into keys - that is the beauty of relational databases.

    Most system perhaps, but we are making assumptions again about how this particular system works. It's quite possible to only have roles that are supersets (or subsets) of other roles so there is never a need for multiple roles.

    I agree that including roles in username is an inelegant solution and is missing the point of relational databases.

  • Retro (unregistered) in reply to Admiral Nelson

    Hi,

    convinient maybe, but i dont think it serves the purpose of securtity based on roles! I hope, Adam, your post was a joke.

    Nice Regards, Retro

  • Cbuttius (cs)

    A user who has more than one role can have multiple logins, one for each role, and the part after the prefix is unique so you can search on it, i.e. ADM_BertGladstron is the same user as USR_BertGladstron but has a different role, the first one is there to boot people off the system if they use a silly alias.

  • Remy Porter (cs)

    We should categorize people based on their CHA scores. Then we can do ROLL based filtering.

    //I'm so sorry.

  • Ken B. (unregistered) in reply to by
    by:
    Yes, it will be difficult (without some creativity) to assign multiple roles to induhviduals.
    What makes you think it's so difficult? Simply replace
    return UserName.StartsWith(roleName.Substring(0, 3));
    with
    return UserName.Contains(roleName.Substring(0, 3));
  • trak998 (unregistered) in reply to Buzz Killington
    Buzz Killington:
    Anon:
    by:
    This seems like only a minor wtf based on your buttumptions about the user name and roles. Yes, it will be difficult (without some creativity) to assign multiple roles to induhviduals. But assuming that users are not able to select their own usernames (something that's always been based on my name at every company, but I wasn't given a choice about it), you could very easily have single roles prefixed that would match properly.

    For example, Manager Lyle could be MGR_lyle. If your username changes on promotion, so what? Obscure Service Technician Bob would be OT6_Bob. Again, there would be many more roles, but considering the domain space, what if there's only the need for 3 roles? No need to over-engineer a solution.

    Agreed. It's hardly an elegant solution, and obviously flawed in people chose their own username, but lots of (especially corporate) systems don't let you pick (or change) your user name.

    True most don't let you choose your user name. Most systems also allow one person to have multiple roles that are far more fine-grained than Customer, Employee and Admin. The point is that intelligence should never be built into keys - that is the beauty of XML.

    FTFY

    Seriously, every time someone uses a relational database for something that could be fixed in a text file that can be sent via HTTP and parsed trivially another kitten dies.

  • Ken B. (unregistered) in reply to Yuval
    Yuval:
    You mean "its".

    (this was a commentary on the superfluous apostrophe in the last paragraph of the article. Seriously. "It's development"??)

    The problem wasn't a "superfluous apostrophe", but rather the lack of capitalization. "IT's development"

  • Anon (unregistered) in reply to Ken B.
    Ken B.:
    by:
    Yes, it will be difficult (without some creativity) to assign multiple roles to induhviduals.
    What makes you think it's so difficult? Simply replace
    return UserName.StartsWith(roleName.Substring(0, 3));
    with
    return UserName.Contains(roleName.Substring(0, 3));

    Now that's TRWTF.

Leave a comment on “Role-based Canary”

Log In or post as a guest

Replying to comment #:

« Return to Article