[Catalyst-commits] r11440 - in
trunk/Catalyst-Plugin-Authorization-ACL: .
lib/Catalyst/Plugin/Authorization t t/lib
caelum at dev.catalyst.perl.org
caelum at dev.catalyst.perl.org
Wed Sep 30 22:23:25 GMT 2009
Author: caelum
Date: 2009-09-30 22:23:24 +0000 (Wed, 30 Sep 2009)
New Revision: 11440
Modified:
trunk/Catalyst-Plugin-Authorization-ACL/Changes
trunk/Catalyst-Plugin-Authorization-ACL/lib/Catalyst/Plugin/Authorization/ACL.pm
trunk/Catalyst-Plugin-Authorization-ACL/t/lib/ACLTestApp.pm
trunk/Catalyst-Plugin-Authorization-ACL/t/live_app.t
Log:
add deny_access_unless_any and allow_access_if_any shortcuts
Modified: trunk/Catalyst-Plugin-Authorization-ACL/Changes
===================================================================
--- trunk/Catalyst-Plugin-Authorization-ACL/Changes 2009-09-29 13:22:10 UTC (rev 11439)
+++ trunk/Catalyst-Plugin-Authorization-ACL/Changes 2009-09-30 22:23:24 UTC (rev 11440)
@@ -1,5 +1,8 @@
Revision history for Perl extension Catalyst::Plugin::Authorization::ACL
+0.14 2009-09-30 22:20:41
+ - add 'deny_access_unless_any' and 'allow_access_if_any' as shortcuts
+ for any role in a list
- fix 'uninitialized' warning in tests
0.13 2009-09-26 03:34:16
Modified: trunk/Catalyst-Plugin-Authorization-ACL/lib/Catalyst/Plugin/Authorization/ACL.pm
===================================================================
--- trunk/Catalyst-Plugin-Authorization-ACL/lib/Catalyst/Plugin/Authorization/ACL.pm 2009-09-29 13:22:10 UTC (rev 11439)
+++ trunk/Catalyst-Plugin-Authorization-ACL/lib/Catalyst/Plugin/Authorization/ACL.pm 2009-09-30 22:23:24 UTC (rev 11440)
@@ -1,18 +1,16 @@
package Catalyst::Plugin::Authorization::ACL;
-use base qw/Class::Data::Inheritable/;
-use strict;
-use warnings;
-
-use MRO::Compat;
+use namespace::autoclean;
+use Moose;
use mro 'c3';
+with 'Catalyst::ClassData';
use Scalar::Util ();
-use Catalyst::Plugin::Authorization::ACL::Engine;
+use Catalyst::Plugin::Authorization::ACL::Engine qw/$DENIED $ALLOWED/;
# TODO
# refactor forcibly_allow_access so that the guts are cleaner
-BEGIN { __PACKAGE__->mk_classdata("_acl_engine") }
+__PACKAGE__->mk_classdata("_acl_engine");
our $VERSION = '0.14';
@@ -80,6 +78,16 @@
$c->_acl_engine->add_deny(@_);
}
+sub deny_access_unless_any {
+ my ($c, $path, $roles) = @_;
+
+ $c->deny_access_unless($path, sub {
+ my ($c, $action) = @_;
+
+ return $c->check_any_user_role(@$roles);
+ });
+}
+
sub deny_access {
my $c = shift;
$c->deny_access_unless( @_, undef );
@@ -90,6 +98,16 @@
$c->_acl_engine->add_allow(@_);
}
+sub allow_access_if_any {
+ my ($c, $path, $roles) = @_;
+
+ $c->allow_access_if($path, sub {
+ my ($c, $action) = @_;
+
+ return $c->check_any_user_role(@$roles);
+ });
+}
+
sub allow_access {
my $c = shift;
$c->allow_access_if( @_, 1 );
@@ -144,6 +162,7 @@
}
+__PACKAGE__->meta->make_immutable;
__PACKAGE__;
__END__
@@ -156,23 +175,23 @@
=head1 SYNOPSIS
- use Catalyst qw/
- Authentication
- Authorization::Roles
- Authorization::ACL
- /;
+ use Catalyst qw/
+ Authentication
+ Authorization::Roles
+ Authorization::ACL
+ /;
- __PACKAGE__->setup;
+ __PACKAGE__->setup;
- __PACKAGE__->deny_access_unless(
- "/foo/bar",
- [qw/nice_role/],
- );
+ __PACKAGE__->deny_access_unless(
+ "/foo/bar",
+ [qw/nice_role/],
+ );
- __PACKAGE__->allow_access_if(
- "/foo/bar/gorch",
- sub { return $boolean },
- );
+ __PACKAGE__->allow_access_if(
+ "/foo/bar/gorch",
+ sub { return $boolean },
+ );
=head1 DESCRIPTION
@@ -208,8 +227,10 @@
=head1 METHODS
-=head2 allow_access_if $path, $rule
+=head2 allow_access_if
+Arguments: $path, $rule
+
Check the rule condition and allow access to the actions under C<$path> if
the rule returns true.
@@ -220,8 +241,16 @@
the next rule in the chain will be checked - in this sense the combinatory
behavior of these rules is like logical B<OR>.
-=head2 deny_access_unless $path, $rule
+=head2 allow_access_if_any
+Arguments: $path, \@roles
+
+Same as above for any role in the list.
+
+=head2 deny_access_unless
+
+Arguments: $path, $rule
+
Check the rule condition and disallow access if the rule returns false.
This is normally useful to restrict access to any portion of the application
@@ -231,26 +260,36 @@
next rule in the chain will be checked - in this sense the combinatory
behavior of these rules is like logical B<AND>.
-=head2 allow_access $path
+=head2 deny_access_unless_any
-=head2 deny_access $path
+Arguments: $path, \@roles
+Same as above for any role in the list.
+
+=head2 allow_access
+
+=head2 deny_access
+
+Arguments: $path
+
Unconditionally allow or deny access to a path.
-=head2 acl_add_rule $path, $rule, [ $filter ]
+=head2 acl_add_rule
+Arguments: $path, $rule, [ $filter ]
+
Manually add a rule to all the actions under C<$path> using the more flexible
(but more verbose) method:
- __PACKAGE__->acl_add_rule(
- "/foo",
- sub { ... }, # see FLEXIBLE RULES below
- sub {
- my $action = shift;
- # return a true value if you want to apply the rule to this action
- # called for all the actions under "/foo"
- }
- };
+ __PACKAGE__->acl_add_rule(
+ "/foo",
+ sub { ... }, # see FLEXIBLE RULES below
+ sub {
+ my $action = shift;
+ # return a true value if you want to apply the rule to this action
+ # called for all the actions under "/foo"
+ }
+ };
In this case the rule must be a sub reference (or method name) to be invoked on
$c.
@@ -258,10 +297,14 @@
The default filter will skip all actions starting with an underscore, namely
C<_DISPATCH>, C<_AUTO>, etc (but not C<auto>, C<begin>, et al).
-=head2 acl_access_denied $c, $class, $action, $err
+=head2 acl_access_denied
-=head2 acl_access_allowed $c, $class, $action
+Arguments: $c, $class, $action, $err
+=head2 acl_access_allowed
+
+Arguments: $c, $class, $action
+
The default event handlers for access denied or allowed conditions. See below
on handling access violations.
@@ -319,13 +362,17 @@
=item Role Lists
- __PACAKGE__->deny_access_unless( "/foo/bar", [qw/admin moose_trainer/] );
+ __PACAKGE__->deny_access_unless_any( "/foo/bar", [qw/admin moose_trainer/] );
When the role is evaluated the L<Catalyst::Plugin::Authorization::Roles> will
be used to check whether the currently logged in user has the specified roles.
-If C<allow_access_if> is used, the presence of B<all> the roles will
-immediately permit access, and if C<deny_access_unless> is used the lack of
+If L</allow_access_if_any> is used, the presence of B<any> of the roles in
+the list will immediately permit access, and if L</deny_access_unless_any> is
+used, the lack of B<all> of the roles will immediately deny access.
+
+Similarly, if C<allow_access_if> is used, the presence of B<all> the roles will
+immediately permit access, and if C<deny_access_unless> is used, the lack of
B<any> of the roles will immediately deny access.
When specifying a role list without the
@@ -337,8 +384,8 @@
The code reference or method is invoked with the context and the action
objects. The boolean return value will determine the behavior of the rule.
- __PACKAGE__->allow_access_if( "/gorch", sub { ... } );
- __PACKAGE__->deny_access_unless( "/moose", "method_name" );
+ __PACKAGE__->allow_access_if( "/gorch", sub { ... } );
+ __PACKAGE__->deny_access_unless( "/moose", "method_name" );
When specifying a method name the rule engine ensures that it can be invoked
using L<UNIVERSAL/can>.
@@ -366,18 +413,18 @@
explicitly allowing or denying access based on how much mojo the current
user has:
- __PACKAGE__->acl_add_rule(
- "/foo",
- sub {
- my ( $c, $action ) = @_;
+ __PACKAGE__->acl_add_rule(
+ "/foo",
+ sub {
+ my ( $c, $action ) = @_;
- if ( $c->user->mojo > 50 ) {
- die $ALLOWED;
- } else {
- die $DENIED;
- }
- }
- );
+ if ( $c->user->mojo > 50 ) {
+ die $ALLOWED;
+ } else {
+ die $DENIED;
+ }
+ }
+ );
=head1 HANDLING DENIAL
@@ -415,7 +462,6 @@
...
$c->forcibly_allow_access
if $you->mean_it eq "really";
-
}
If you call C<forcibly_allow_access> then the blocked action will be
@@ -471,7 +517,7 @@
=head1 COPYRIGHT & LICENSE
-Copyright (c) 2008 the aforementioned authors.
+Copyright (c) 2008,2009 the aforementioned authors.
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself.
Modified: trunk/Catalyst-Plugin-Authorization-ACL/t/lib/ACLTestApp.pm
===================================================================
--- trunk/Catalyst-Plugin-Authorization-ACL/t/lib/ACLTestApp.pm 2009-09-29 13:22:10 UTC (rev 11439)
+++ trunk/Catalyst-Plugin-Authorization-ACL/t/lib/ACLTestApp.pm 2009-09-30 22:23:24 UTC (rev 11440)
@@ -33,7 +33,7 @@
},
quxx => {
password => "ding",
- roles => [qw/moose_trainer/],
+ roles => [qw/zoo_worker moose_trainer/],
os => "osx",
},
},
@@ -47,7 +47,7 @@
__PACKAGE__->allow_access_if("/", sub { 1 }); # just to test that / can be applied to
-__PACKAGE__->deny_access_unless("/lioncage", [qw/zoo_worker lion_tamer/]); # only highly trained personnel can enter
+__PACKAGE__->deny_access_unless_any("/lioncage", [qw/zoo_worker lion_tamer/]);
# this now in config
# __PACKAGE__->deny_access_unless("/restricted", sub { 0 }); # no one can access
Modified: trunk/Catalyst-Plugin-Authorization-ACL/t/live_app.t
===================================================================
--- trunk/Catalyst-Plugin-Authorization-ACL/t/live_app.t 2009-09-29 13:22:10 UTC (rev 11439)
+++ trunk/Catalyst-Plugin-Authorization-ACL/t/live_app.t 2009-09-30 22:23:24 UTC (rev 11440)
@@ -75,7 +75,7 @@
is_allowed("zoo/elk");
is_allowed("zoo/moose");
is_denied("zoo/rabbit");
-is_denied("lioncage");
+is_allowed("lioncage");
is_denied("restricted");
is_allowed("zoo/penguins/emperor");
is_denied("zoo/penguins/tux");
More information about the Catalyst-commits
mailing list