Author: caelum
Date: 2011-12-15 04:02:48 +0000 (Thu, 15 Dec 2011)
New Revision: 14212

my advent article

Added: trunk/examples/CatalystAdvent/root/2011/pen/login_authorization_and_user_admin.pod
--- trunk/examples/CatalystAdvent/root/2011/pen/login_authorization_and_user_admin.pod	                        (rev 0)
+++ trunk/examples/CatalystAdvent/root/2011/pen/login_authorization_and_user_admin.pod	2011-12-15 04:02:48 UTC (rev 14212)
@@ -0,0 +1,1067 @@
+=head1 Login, Authorization and User Administration
+This tutorial will describe the latest tech in Catalyst authentication and
+authorization and describe a real-world user administration system.
+To follow along, first check out the sample code for chapter 4 of the Catalyst
+    svn co http://dev.catalystframework.org/repos/Catalyst/trunk/examples/Tutorial/Final/Chapter04
+To get the complete working source for this article, download this
+=head2 The Users Schema
+In C<users.sql> we'll put the tables for holding the user information of our
+If you're following along on PostgreSQL replace C<INTEGER PRIMARY KEY> with
+    DROP TABLE IF EXISTS user_roles;
+    CREATE TABLE users (
+        active CHAR(1) NOT NULL,
+        username TEXT NOT NULL UNIQUE,
+        password TEXT NOT NULL,
+        password_expires TIMESTAMP,
+        name TEXT NOT NULL,
+        email_address TEXT NOT NULL,
+        phone_number TEXT,
+        mail_address TEXT
+    );
+    CREATE TABLE roles (
+        name TEXT NOT NULL UNIQUE
+    );
+    CREATE TABLE user_roles (
+        PRIMARY KEY (user_id, role_id)
+    );
+    INSERT INTO users (username, active, name, email_address, password) VALUES (
+        'admin', 'Y', 'Administrator', 'admin at myapp.org', 'dummy'
+    );
+    INSERT INTO roles (name) VALUES ('admin');
+    INSERT INTO roles (name) VALUES ('can_edit');
+    INSERT INTO user_roles (user_id, role_id) VALUES (
+        (SELECT id FROM users WHERE username = 'admin'),
+        (SELECT id FROM roles WHERE name     = 'admin')
+    );
+Load the schema into the db:
+    sqlite3 myapp.db < users.sql
+=head2 Password Hashing
+We will use L<DBIx::Class::PassphraseColumn> and
+L<Authen::Passphrase::BlowfishCrypt> for handling the password hash. This is
+currently the most secure hashing method.
+It is a good idea to add dependencies for your application to the
+C<Makefile.PL>, as follows:
+    requires 'DBIx::Class::PassphraseColumn';
+    requires 'Authen::Passphrase::BlowfishCrypt';
+Then when you deploy the app, you can simply do:
+    perl Makefile.PL
+    make listdeps | cpanm
+Or C<cpanm -n> to skip tests.
+First regenerate the L<DBIx::Class> schema with our new tables and this
+component (make sure you have the latest CPAN version of
+    perl script/myapp_create.pl model DB DBIC::Schema MyApp::Schema \
+        create=static components=TimeStamp,PassphraseColumn dbi:SQLite:myapp.db
+Now edit C<lib/MyApp/Schema/Result/User.pm> and below the C<DO NOT MODIFY> line
+add the following:
+    __PACKAGE__->add_columns(
+        '+password' => {
+            passphrase       => 'rfc2307',
+            passphrase_class => 'BlowfishCrypt',
+            passphrase_args  => {
+                cost        => 8,
+                salt_random => 20,
+            },
+            passphrase_check_method => 'check_password',
+        }
+    );
+If your L<DBIx::Class::Schema::Loader> did not generate a C<many_to_many> to
+roles, you will also need to add the following:
+    __PACKAGE__->many_to_many("roles", "user_roles", "role");
+=head2 Configuring Catalyst Authentication
+We will use L<CatalystX::SimpleLogin> as the entry point to the auth system.
+You will need to install a memcached server, on Debian run the following:
+    sudo aptitude install memcached
+You will need the following modules installed: L<Catalyst::Plugin::Session>,
+L<Catalyst::Plugin::Authorization::Roles> and L<CatalystX::SimpleLogin>.
+Now edit C<lib/MyApp.pm> and change the C<use Catalyst> line to:
+    use Catalyst qw/
+        -Debug
+        ConfigLoader
+        Static::Simple
+        Session
+        Session::Store::Memcached
+        Session::State::Cookie
+        Authentication
+        Authorization::Roles
+        +CatalystX::SimpleLogin
+    /;
+Above the C<< __PACKAGE__->setup() >> call, put the following configuration:
+    __PACKAGE__->config(
+       authentication => {
+          default_realm => 'users',
+          realms        => {
+             users => {
+                credential => {
+                   class          => 'Password',
+                   password_field => 'password',
+                   password_type  => 'self_check'
+                },
+                store => {
+                   class         => 'DBIx::Class',
+                   user_model    => 'DB::User',
+                   role_relation => 'roles',
+                   role_field    => 'name',
+                }
+             }
+          },
+       },
+       'Controller::Login' => { traits => ['-RenderAsTTTemplate'], },
+    );
+Now we need a login template:
+    mkdir root/src/login
+    touch root/src/login/login.tt2
+Place the following into the C<root/src/login/login.tt2> file:
+    [% META title = 'Welcome to MyApp: Please Log In' %]
+    <div>
+        [% FOR field IN login_form.error_fields %]
+            [% FOR error IN field.errors %]
+                <p><span style="color: red;">[% field.label _ ': ' _ error %]</span></p>
+            [% END %]
+        [% END %]
+    </div>
+    <div>
+        <form id="login_form" method="post" action="[% c.req.uri %]">
+            <fieldset style="border: 0;">
+                <table>
+                    <tr>
+                        <td><label class="label" for="username">Username:</label></td>
+                        <td><input type="text" name="username" value="" /></td>
+                    </tr>
+                    <tr>
+                        <td><label class="label" for="password">Password:</label></td>
+                        <td><input type="password" name="password" value="" /></td>
+                    </tr>
+                    <tr><td><input type="submit" name="submit" value="Login" /></td></tr>
+                </table>
+            </fieldset>
+        </form>
+    </div>
+Now we need the auth to protect the app. Replace the contents of
+C<lib/MyApp/Controller/Root.pm> with the following:
+    package MyApp::Controller::Root;
+    use Moose;
+    use namespace::autoclean;
+    BEGIN { extends 'Catalyst::Controller' }
+    __PACKAGE__->config(namespace => '');
+    sub base : Chained('/login/required') PathPart('') CaptureArgs(0) {}
+    sub home : Chained('/base') PathPart('') Args(0) {
+        my ($self, $c) = @_;
+        $c->res->redirect($c->uri_for('/books/list'));
+    }
+    sub default : Chained('/base') PathPart('') Args {
+        my ($self, $c) = @_;
+        $c->res->body('Page not found');
+        $c->res->status(404);
+    }
+    sub end : ActionClass('RenderView') {}
+    __PACKAGE__->meta->make_immutable;
+    1;
+Now make sure all actions in the app chain from C</base>. Replace the C<Books>
+controller in C<lib/MyApp/Controller/Books.pm> with the following:
+    package MyApp::Controller::Books;
+    use Moose;
+    use namespace::autoclean;
+    BEGIN {extends 'Catalyst::Controller'; }
+    sub base : Chained('/base') PathPrefix CaptureArgs(0) {}
+    sub list : Chained('base') PathPart('list') Args(0) {
+        my ($self, $c) = @_;
+        $c->stash(books => [ $c->model('DB::Book')->all ]);
+    }
+    sub url_create : Chained('base') PathPart('url_create') Args(3) {
+        my ($self, $c, $title, $rating, $author_id) = @_;
+        my $book = $c->model('DB::Book')->create({
+            title  => $title,
+            rating => $rating
+        });
+        $book->add_to_book_authors({ author_id => $author_id });
+        $c->stash(
+            book     => $book,
+            template => 'books/create_done.tt2'
+        );
+        $c->response->header('Cache-Control' => 'no-cache');
+    }
+    sub form_create : Chained('base') PathPart('form_create') Args(0) {
+        my ($self, $c) = @_;
+        $c->stash(template => 'books/form_create.tt2');
+    }
+    sub form_create_do : Chained('base') PathPart('form_create_do') Args(0) {
+        my ($self, $c) = @_;
+        my $title     = $c->request->params->{title}     || 'N/A';
+        my $rating    = $c->request->params->{rating}    || 'N/A';
+        my $author_id = $c->request->params->{author_id} || '1';
+        my $book = $c->model('DB::Book')->create({
+            title   => $title,
+            rating  => $rating,
+        });
+        $book->add_to_book_authors({author_id => $author_id});
+        $c->stash(
+            book     => $book,
+            template => 'books/create_done.tt2'
+        );
+    }
+    sub object : Chained('base') PathPart('id') CaptureArgs(1) {
+        my ($self, $c, $id) = @_;
+        $c->stash(object => $c->model('DB::Book')->find($id));
+        die "Book $id not found!" if !$c->stash->{object};
+    }
+    sub delete : Chained('object') PathPart('delete') Args(0) {
+        my ($self, $c) = @_;
+        $c->stash->{object}->delete;
+        $c->res->redirect($c->uri_for($self->action_for('list'),
+            {status_msg => "Book deleted."}));
+    }
+    sub list_recent : Chained('base') PathPart('list_recent') Args(1) {
+        my ($self, $c, $mins) = @_;
+        $c->stash(books => [$c->model('DB::Book')
+                                ->created_after(DateTime->now->subtract(minutes => $mins))]);
+        $c->stash(template => 'books/list.tt2');
+    }
+    sub list_recent_tcp : Chained('base') PathPart('list_recent_tcp') Args(1) {
+        my ($self, $c, $mins) = @_;
+        $c->stash(books => [
+                $c->model('DB::Book')
+                    ->created_after(DateTime->now->subtract(minutes => $mins))
+                    ->title_like('TCP')
+            ]);
+        $c->stash(template => 'books/list.tt2');
+    }
+    __PACKAGE__->meta->make_immutable;
+    1;
+Now we need to set the admin password so we can log in and try it out, in
+C<script/set_admin_password.pl> place the following:
+    #!/usr/bin/env perl
+    use strict;
+    use warnings;
+    use lib 'lib';
+    use MyApp;
+    use DateTime;
+    my $admin = MyApp->model('DB::User')->search({ username => 'admin' })
+        ->single;
+    $admin->update({ password => 'admin', password_expires => DateTime->now });
+Now run C<perl script/set_admin_password.pl> and the password should be set.
+Now run C<perl script/myapp_server.pl>, go to the server in your web browser and
+it should ask you to log in. Log in as C<admin/admin>, and it should take you to
+the books list.
+=head2 Authorization
+Let's protect our edit and delete actions for books by allowing only users with
+the C<can_edit> or C<admin> roles.
+You will need the following modules: L<Catalyst::Controller::ActionRole> and
+Change the C<extends> line in the Books controller to:
+    BEGIN { extends 'Catalyst::Controller::ActionRole'; }
+Add the edit chain bases:
+    sub edit : Chained('base') PathPart('') CaptureArgs(0) Does('ACL') AllowedRole('admin') AllowedRole('can_edit') ACLDetachTo('denied') {}
+    sub edit_object : Chained('object') PathPart('') CaptureArgs(0) Does('ACL') AllowedRole('admin') AllowedRole('can_edit') ACLDetachTo('denied') {}
+Now make the actions C<url_create>, C<form_create>,
+C<form_create_do> chain from C<edit> and C<delete> chain from C<edit_object>.
+Finally, add a C<denied> action:
+    sub denied : Private {
+        my ($self, $c) = @_;
+        $c->res->redirect($c->uri_for($self->action_for('list'),
+            {status_msg => "Access Denied"}));
+    }
+Now try removing your roles:
+    % sqlite3 myapp.db
+    sqlite> DELETE FROM user_roles;
+    sqlite> .q
+Restart the server, log back into the app, and try hitting a delete link. You
+should get the message C<Access Denied>.
+We should really hide the delete link, to do so edit C<root/src/books/list.tt2>.
+and change the C<Delete> link code to:
+    [% IF c.check_any_user_role('can_edit', 'admin') %]
+    <td>
+      [% # Add a link to delete a book %]
+      <a href="[%
+        c.uri_for(c.controller.action_for('delete'), [book.id]) %]">Delete</a>
+    </td>
+    [% END %]
+Now restart the server and go back to the book list, the delete link should no
+longer appear.
+Now recreate the role mapping:
+    % sqlite3 myapp.db
+    sqlite> INSERT INTO user_roles (user_id, role_id) VALUES (
+       ...>     (SELECT id FROM users WHERE username = 'admin'),
+       ...>     (SELECT id FROM roles WHERE name     = 'admin')
+       ...> );
+    sqlite> .q
+=head2 Password Expiry
+For the next section you will need the modules L<HTML::FormHandler> and
+Create a skeleton C<User> controller with a C<change_password> action in
+    package MyApp::Controller::User;
+    use Moose;
+    use namespace::autoclean;
+    use MyApp::Form::ChangePassword ();
+    BEGIN { extends 'Catalyst::Controller::ActionRole'; }
+    sub base : Chained('/base') PathPrefix CaptureArgs(0) {}
+    sub admin : Chained('base') PathPart('') CaptureArgs(0) Does('ACL') RequiresRole('admin') ACLDetachTo('denied') {}
+    sub change_password : Chained('base') PathPart('change_password') Args(0) {
+        my ($self, $c) = @_;
+        my $form = MyApp::Form::ChangePassword->new;
+        $c->stash(form => $form);
+        return unless $form->process(
+            user   => $c->user,
+            params => $c->req->body_parameters,
+        );
+        $c->user->update({
+            password         => $form->field('new_password')->value,
+            password_expires => undef,
+        });
+        $c->res->redirect($c->uri_for('/books/list', {
+            status_msg => 'Password changed successfully'
+        }));
+    }
+    sub denied : Private {
+        my ($self, $c) = @_;
+        $c->res->redirect($c->uri_for('/books/list', {
+            status_msg => "Access Denied"
+        }));
+    }
+    __PACKAGE__->meta->make_immutable;
+    1;
+And the form class in C<lib/MyApp/Form/ChangePassword.pm>:
+    package MyApp::Form::ChangePassword;
+    use HTML::FormHandler::Moose;
+    extends 'HTML::FormHandler';
+    use namespace::autoclean;
+    use Method::Signatures::Simple;
+    has user => (is => 'rw');
+    has_field 'current_password' => (
+       type     => 'Password',
+       label    => 'Current Password',
+       required => 1,
+    );
+    method validate_current_password($field) {
+        $field->add_error('Incorrect password')
+            if not $self->user->check_password($field->value);
+    }
+    has_field 'new_password' => (
+        type      => 'Password',
+        label     => 'New Password',
+        required  => 1,
+        minlength => 5,
+    );
+    after validate => method {
+        if ($self->field('new_password')->value eq
+                $self->field('current_password')->value )
+        {
+            $self->field('new_password')
+                ->add_error('Must be different from current password');
+        }
+    };
+    has_field 'new_password_conf' => (
+       type           => 'PasswordConf',
+       label          => 'New Password (again)',
+       password_field => 'new_password',
+       required       => 1,
+       minlength      => 5,
+    );
+    has_field submit => (type => 'Submit', value => 'Change');
+    __PACKAGE__->meta->make_immutable;
+    1;
+And the template in C<root/src/user/change_password.tt2>:
+    [% META title = 'MyApp: Change Password' %]
+    <div>
+    <form name="[% form.name %]" action="[% c.req.uri %]" method="post">
+    [% FOR field IN form.error_fields %]
+        [% FOR error IN field.errors %]
+            <p><span style="color: red;">[% field.label _ ': ' _ error %]</span></p>
+        [% END %]
+    [% END %]
+    <fieldset style="border: 0;">
+    <table>
+    [% FOREACH field_name = ['current_password', 'new_password', 'new_password_conf'] %]
+    <tr>
+    [% f = form.field(field_name) %]
+    <td><label for="[% f.name %]">[% f.label %]:</label></td>
+    <td><input type="password" name="[% f.name %]" id="[% f.name %]" value="[% f.fif %]"></td>
+    </tr>
+    [% END %]
+    <tr><td><input type="submit" name="submit" value="Change" /></td></tr>
+    </fieldset>
+    </table>
+    </form>
+    </div>
+Now to enforce password expiry, we need to modify the base action in the root
+controller, edit C<lib/MyApp/Controller/Root.pm> and replace the first part with
+the following:
+    package MyApp::Controller::Root;
+    use Moose;
+    use namespace::autoclean;
+    use DateTime;
+    BEGIN { extends 'Catalyst::Controller' }
+    __PACKAGE__->config(namespace => '');
+    sub base : Chained('/login/required') PathPart('') CaptureArgs(0) {
+        my ($self, $c) = @_;
+        if ($c->user_exists && $c->user->active ne 'Y') {
+            $c->res->redirect($c->uri_for('/login', {
+                status_msg => 'User has been Deactivated',
+                username => $c->user->username,
+                password => 'xxx',
+            }));
+            $c->logout;
+            $c->detach;
+        }
+        if ($c->action ne $c->controller('User')->action_for('change_password')
+            && $c->user_exists
+            && $c->user->password_expires
+            && $c->user->password_expires <= DateTime->now)
+        {
+            $c->res->redirect($c->uri_for('/user/change_password', {
+                status_msg => 'Password Expired'
+            }));
+            $c->detach;
+        }
+    }
+We are also checking that the user is active.
+Now restart the server and open the site in your web browser, you will be asked
+to change your password then taken to the book list.
+=head2 User Profile
+Now we'll create an editable profile page.
+You will need the module L<HTML::FormHandler::Model::DBIC>.
+First, lets add a couple navigation links to the wrapper, edit
+C<root/src/wrapper.tt2> and change the menu to the following:
+    <div id="bodyblock">
+    <div id="menu">
+        <ul>
+            <li><strong>Navigation:</strong></li>
+            <li><a href="[% c.uri_for('/books/list') %]">Home</a></li>
+            <li><a href="[% c.uri_for('/user/profile') %]">Profile</a></li>
+            <li><a href="[% c.uri_for('/user/change_password') %]">Change Password</a></li>
+            [% IF c.check_user_roles('admin') %]
+            <li><a href="[% c.uri_for('/user/list') %]">Admin</a></li>
+            [% END %]
+            <li><a href="[% c.uri_for('/logout') %]">Logout</a></li>
+        </ul>
+    </div><!-- end menu -->
+Lets make a form class for the profile, create a
+C<lib/MyApp/Form/UserProfile.pm> with the following:
+    package MyApp::Form::UserProfile;
+    use HTML::FormHandler::Moose;
+    extends 'HTML::FormHandler::Model::DBIC';
+    use namespace::autoclean;
+    has '+item_class' => (default => 'User');
+    has_field 'name'          => ( type => 'Text',  required => 1 );
+    has_field 'email_address' => ( type => 'Email', required => 1 );
+    has_field 'phone_number'  => ( type => 'Text' );
+    has_field 'mail_address'  => ( type => 'Text' );
+    has_field submit => (
+       type  => 'Submit',
+       value => 'Update'
+    );
+    __PACKAGE__->meta->make_immutable;
+    1;
+Then we'll add a profile action to the User controller. At the top add:
+    use MyApp::Form::UserProfile    ();
+Then add the action:
+    sub profile : Chained('base') PathPart('profile') Args(0) {
+        my ($self, $c) = @_;
+        my $form = MyApp::Form::UserProfile->new;
+        $c->stash(form => $form);
+        return unless $form->process(
+            schema  => $c->model('DB')->schema,
+            item_id => $c->user->users_id,
+            params  => $c->req->body_parameters,
+        );
+        $c->res->redirect($c->uri_for('/books/list', {
+            status_msg => 'Profile Updated'
+        }));
+    }
+Add the template in C<root/src/user/profile.tt2>:
+    [% META title = 'MyApp: User Profile' %]
+    <div>
+    <form name="[% form.name %]" action="[% c.req.uri %]" method="post">
+    [% FOR field IN form.error_fields %]
+        [% FOR error IN field.errors %]
+            <p><span style="color: red;">[% field.label _ ': ' _ error %]</span></p>
+        [% END %]
+    [% END %]
+    <fieldset style="border: 0;">
+    <table>
+    [% FOREACH field_name = ['name', 'email_address',
+                             'phone_number', 'mail_address'] %]
+    <tr>
+    [% f = form.field(field_name) %]
+    <td><label for="[% f.name %]">[% f.label %]:</label></td>
+    <td><input type="text" size=30 name="[% f.name %]" id="[% f.name %]" value="[% f.fif %]"></td>
+    </tr>
+    [% END %]
+    <tr><td><input type="submit" name="submit" id="submit" value="Update" /></td></tr>
+    </fieldset>
+    </table>
+    </form>
+    </div>
+Now restart the server and try editing your profile.
+=head2 User Administration
+Finally, we will create an interface to manage the users of the app.
+For this part you will need the modules L<Crypt::PassGen> and
+Create an email view:
+    perl script/myapp_create.pl view Email::Template Email::Template
+And add its configuration to C<myapp.conf>:
+    <View::Email::Template>
+        <sender>
+            mailer Sendmail
+        </sender>
+        template_prefix email
+        <default>
+            content_type text/html
+            charset utf-8
+            view HTML
+        </default>
+    </View::Email::Template>
+    default_view HTML
+In the C<User> controller, add these use statements at the top:
+    use Crypt::PassGen 'passgen';
+    use MyApp::Form::AddUser        ();
+    use MyApp::Form::EditUser       ();
+And these actions:
+    sub list : Chained('admin') PathPart('list') Args(0) {
+        my ($self, $c) = @_;
+        my $users = $c->model('DB::User')->search(
+            { active => 'Y'},
+            {
+                order_by => ['username'],
+                page     => ($c->req->param('page') || 1),
+                rows     => 20,
+            }
+        );
+        $c->stash(
+            users => $users,
+            pager => $users->pager,
+        );
+    }
+    sub add : Chained('admin') PathPart('add') Args(0) {
+        my ($self, $c) = @_;
+        my $form = MyApp::Form::AddUser->new;
+        $c->stash(form => $form);
+        my $user = $c->model('DB::User')->new_result({});
+        my ($temp_password) = passgen(NWORDS => 1, NLETT => 8);
+        $user->password($temp_password);
+        $user->password_expires(DateTime->now);
+        $user->active('Y');
+        return unless $form->process(
+            schema => $c->model('DB')->schema,
+            item   => $user,
+            params => $c->req->body_parameters,
+        );
+        $c->stash->{email} = {
+            to           => $user->email_address,
+            from         => 'admin at myapp.org',
+            subject      => 'Welcome to MyApp',
+            content_type => 'text/html',
+            template     => 'welcome.tt2',
+        };
+        $c->stash(
+            username => $user->username,
+            password => $temp_password,
+        );
+        $c->forward($c->view('Email::Template'));
+        $c->res->redirect($c->uri_for($self->action_for('list'), {
+            status_msg => 'User '
+                . $user->username
+                . ' created successfully'
+                . ', initial password emailed ' . 'to '
+                . $user->email_address
+        }));
+    }
+    sub user : Chained('admin') PathPart('') CaptureArgs(1) {
+        my ($self, $c, $user_id) = @_;
+        $c->stash(user => $c->model('DB::User')->find($user_id));
+    }
+    sub inactivate : Chained('user') PathPart('inactivate') Args(0) {
+        my ($self, $c) = @_;
+        my $user = $c->stash->{user};
+        $user->update({ active => 'N' });
+        my $username = $user->username;
+        $c->res->redirect($c->uri_for($self->action_for('list'), {
+            status_msg => "User $username inactivated"
+        }));
+    }
+    sub reset_password : Chained('user') PathPart('reset_password') Args(0) {
+        my ($self, $c) = @_;
+        my $user = $c->stash->{user};
+        my ($temp_password) = passgen(NWORDS => 1, NLETT => 8);
+        $user->password($temp_password);
+        $user->password_expires(DateTime->now);
+        $user->update;
+        $c->stash->{email} = {
+            to           => $user->email_address,
+            from         => 'admin at myapp.org',
+            subject      => 'Your MyApp Password has been Reset',
+            content_type => 'text/html',
+            template     => 'reset_password.tt2',
+        };
+        $c->stash(
+            username => $user->username,
+            password => $temp_password,
+        );
+        $c->forward($c->view('Email::Template'));
+        $c->res->redirect($c->uri_for($self->action_for('list'), {
+            status_msg => 'Password reset email for '
+                . $user->username
+                . ' sent to '
+                . $user->email_address
+        }));
+    }
+    sub edit : Chained('user') PathPart('edit') Args(0) {
+        my ($self, $c) = @_;
+        my $form = MyApp::Form::EditUser->new;
+        $c->stash(form => $form);
+        return unless $form->process(
+            schema  => $c->model('DB')->schema,
+            item_id => $c->stash->{user}->id,
+            params  => $c->req->body_parameters,
+        );
+        $c->res->redirect($c->uri_for($self->action_for('list'), {
+            status_msg => 'User '
+                . $c->stash->{user}->username
+                . ' updated successfully'
+        }));
+    }
+B<NOTE:> the C<from> email address must be a valid address, otherwise your MTA
+will reject the email, replace it with your email address before testing this
+There are two email templates, one for the C<add> action which goes into
+    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+    <html xmlns="http://www.w3.org/1999/xhtml"
+          xml:lang="en"
+          lang="en">
+    <head>
+    </head>
+    <body>
+    <h2 align="center">Welcome to the MyApp system.</h2>
+    <p>Your username is: <span style="color: green;">[% username %]</span></p>
+    <p>Your initial password is: <span style="color: red;">[% password %]</span></p>
+    <p>You will be asked to change your password on first login.</p>
+    </body>
+    </html>
+And one for C<password_reset> which goes into
+    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+    <html xmlns="http://www.w3.org/1999/xhtml"
+          xml:lang="en"
+          lang="en">
+    <head>
+    </head>
+    <body>
+    <h2 align="center">Your MyApp Password has been Reset</h2>
+    <p>Your username is: <span style="color: green;">[% username %]</span></p>
+    <p>Your password is: <span style="color: red;">[% password %]</span></p>
+    <p>You will be asked to change your password on first login.</p>
+    </body>
+    </html>
+Four web templates, C<root/src/user/list.tt2>:
+    [% META title = 'MyApp: User Admin' %]
+    <br />
+    <a class="button" href="[% c.uri_for('/user/add') %]" onclick='this.blur();'><span>Add User</span></a>
+    <br />
+    Displaying users [% pager.first %]-[% pager.last %] of [% pager.total_entries %]
+    <table>
+    <tr>
+        <th>Username</th>
+        <th>Name</th>
+        <th>Email Address</th>
+    </tr>
+    [% WHILE (u = users.next) %]
+    <tr>
+    <td><a href="[% c.uri_for('/user', u.id, 'edit') %]">[% u.username %]</a></td>
+    <td>[% u.name %]</td>
+    <td>[% u.email_address %]</td>
+    <td><a href="[% c.uri_for('/user', u.id, 'reset_password') %]">Reset Password</a></td>
+    <td><a href="[% c.uri_for('/user', u.id, 'inactivate') %]">Inactivate</a></td>
+    </tr>
+    [% END %]
+    </table>
+    &lt;&lt; 
+    <a href="[% c.req.uri_with({ page => pager.first_page }) %]">First</a>
+    <a href="[% c.req.uri_with({ page => pager.previous_page })%]">Previous</a>
+    |
+    <a href="[% c.req.uri_with({ page => pager.next_page })%]">Next</a>
+    <a href="[% c.req.uri_with({ page => pager.last_page }) %]">Last</a>
+    &gt;&gt;
+    [% META title = 'MyApp: Add User' %]
+    <div>
+    <form name="[% form.name %]" action="[% c.req.uri %]" method="post">
+    [% FOR field IN form.error_fields %]
+        [% FOR error IN field.errors %]
+            <p><span style="color: red;">[% field.label _ ': ' _ error %]</span></p>
+        [% END %]
+    [% END %]
+    <fieldset style="border: 0;">
+    <table>
+    <tr>
+    [% f = form.field('username') %]
+    <td><label for="[% f.name %]">[% f.label %]:</label></td>
+    <td><input type="text" size=30 name="[% f.name %]" id="[% f.name %]" value="[% f.fif %]"></td>
+    </tr>
+    [% PROCESS user/edit_details.tt2 %]
+    <tr>
+        <td><input type="submit" name="submit" id="submit" value="Add" /></td>
+        <td><a href="/user/list">Users List</a></td>
+    </tr>
+    </fieldset>
+    </table>
+    </form>
+    </div>
+    [% META title = 'MyApp: Edit User' %]
+    <div>
+    <form name="[% form.name %]" action="[% c.req.uri %]" method="post">
+    [% FOR field IN form.error_fields %]
+        [% FOR error IN field.errors %]
+            <p><span style="color: red;">[% field.label _ ': ' _ error %]</span></p>
+        [% END %]
+    [% END %]
+    <fieldset style="border: 0;">
+    <table>
+    [% PROCESS user/edit_details.tt2 %]
+    <tr>
+        <td><input type="submit" name="submit" id="submit" value="Update" /></td>
+        <td><a href="/user/list">Users List</a></td>
+    </tr>
+    </fieldset>
+    </table>
+    </form>
+    </div>
+and C<root/src/user/edit_details.tt2>:
+    [% FOREACH field_name = ['name', 'email_address',
+                             'phone_number', 'mail_address'] %]
+    <tr>
+    [% f = form.field(field_name) %]
+    <td><label class="text.label" for="[% f.name %]">[% f.label %]:</label></td>
+    <td><input class="text" type="text" size=30 name="[% f.name %]" id="[% f.name %]" value="[% f.fif %]"></td>
+    </tr>
+    [% END %]
+    <tr>
+    [% f = form.field('roles') %]
+    <td><label for="[% f.name %]">Roles:</label></td>
+    <td>[% f.render %]</td>
+    </tr>
+And the two form classes, C<lib/MyApp/Form/AddUser.pm>:
+    package MyApp::Form::AddUser;
+    use HTML::FormHandler::Moose;
+    extends 'MyApp::Form::EditUser';
+    use namespace::autoclean;
+    has_field 'username' => (
+        type     => 'Text',
+        label    => 'User name',
+        required => 1,
+    );
+    __PACKAGE__->meta->make_immutable;
+    1;
+and C<lib/MyApp/Form/EditUser.pm>:
+    package MyApp::Form::EditUser;
+    use HTML::FormHandler::Moose;
+    extends 'MyApp::Form::UserProfile';
+    use namespace::autoclean;
+    has_field 'roles' => (
+        type         => 'Multiple',
+        widget       => 'checkbox_group',
+        label_column => 'name',
+        label        => '',
+    );
+    __PACKAGE__->meta->make_immutable;
+    1;
+Now try it out, launch the server and click the Admin link.
+I've taken you on a tour of a simple intranet auth system using modern
+L<Catalyst> technologies, hopefully you got some ideas about how to implement
+your own auth and administration systems.
+=head2 AUTHOR
+Caelum: Rafael Kitover <rkitover at cpan.org>

