[Catalyst-dev] Implementing Authent/Author via attributes (RFC)

Kieren Diment diment at gmail.com
Sat Apr 4 01:27:49 GMT 2009





On 04/04/2009, at 12:22 PM, Bruce McKenzie wrote:

> Sadly, it was not clear to me that you could have only one  
> ActionClass per handler. I finally figured it out after tracing  
> things and reading lots of perldoc. <sigh> I'm new to this. It  
> worked fine for my paths that were not RESTful also :-)
>
> I see the notes about a proposed patch (http://www.mail-archive.com/catalyst@lists.rawmode.org/msg04135.html 
> ) which redirected to a Grand Unified Theory of Rearchitecture  
> (instead of applying the patch). Dumb question -- where can I read  
> more about the rearchitecture?
>

Evil hack:

use multiple inheritance to create a 'RESTLoginRequired' actionclass

Better solution:

Use Catalyst::Controller::ActionRole to define your own attributes.



>
> Anyways, I have a real issue and a proposal --
>
> So here's what I want to do:
>
> --- Controller ---
> ...
> sub config_element :Path('')  ActionClass('REST')  
> ActionClass( 'LoginRequired' )
> {
>    my ( $self, $c ) = @_;
>
>   $c->log->debug("I only get this if I'm logged in!");
> }
> ...
> ------
>
> --- MyApp::Action::LoginRequired ---
> ...
> sub execute
> {
>    my $self = shift;
>    my ( $controller, $c, @args ) = @_;
>
>    if ( ! $c->session->{'logged_in'} )
>    {
>        $c->detach('/login_required');
>    }
>
>    my $r = $self->next::method(@_);
>
>    return $r;
> }
> ...
> -------
>
> Why? It just seemed way cleaner to me (LoginRequired *is* attribute- 
> y to me :-) than repeated:
> ---
>        $c->detach('/login_required') unless $c->session- 
> >{'logged_in'};
> ---
>
> lines throughout all of my methods. Specifically, I added a "auth  
> not required" mode in which login-requirements were temporarily  
> defeated, and I had to go edit every path everywhere that had this  
> code bit. Sure, I can turn "$c->session->{'logged_in'}" into a app/ 
> context method call and have the code only there...but it misses the  
> point (or *I* miss the point).
>
> Attributes are decorators and meta-behaviours, and access  
> requirements seemed like a perfect example of this to me. Obviously  
> they don't have to be ActionClass(es).
>
> So (he says, phrasing it in the form of an RFC), would there be any  
> traction in pursuing a Auththent/Author/ACL attribute that slots in?
>
> Something like:
>
> sub mypath1 : AllowWhen( 'authenticated' ) { }
> sub mypath2 : AllowWhen( 'hasanyrole(foo,bar)' ) { }  # permitted if  
> user has any of the roles
> sub mypath3 :  
> AllowWhen( 'hasallroles(organization1,administration)' ) { }   #  
> permitted if user has all of the roles
>
> May I have feedback (up to and hopefully not including "please go  
> away" :-)
>
> Thanks very much for your time.
>
> Bruce
>
>
> ---
> Bruce McKenzie
> brucem at dynamicrange.com
>
>
>
> _______________________________________________
> Catalyst-dev mailing list
> Catalyst-dev at lists.scsys.co.uk
> http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev




More information about the Catalyst-dev mailing list