[Catalyst-dev] Catalyst::Plugin::Authorization::Abilities

Ido Perelmutter ido50 at yahoo.com
Sat Apr 11 13:54:10 GMT 2009 

Hello there.

This is my first post to the mailing list and what's going to be my first CPAN module. Anyway, I've created an Authorization plugin for Catalyst, based on the Roles plugin but pretty much entirely different. I use this plugin on two applications I'm currently writing (and will be releasing to CPAN): a large scale CMS and a large scale BBS.

Basically, this module takes on a different approach than the Roles (and also the CDBI::GroupToken) authorization plugins currently existing. The reason for creating this plugin is simple: both Authorization::Roles and Authorization::CDBI::GroupToken use the same approach (correct me if I'm wrong): decide who can perform which actions while developing your application.

This approach may be good for really specific or small scale applications, but is probably entirely unsuable on a large scale system with many contributers. For example, let's take a bulletin board system. After installing a BBS, I, as the "super-admin", need to have the ability to create user groups and assign actions that users of these groups can perform. For example, I might want to create an "admins" group with almost all privilages, or a "mods" group with only editing privilages, or basically do whatever I want. The main thing to keep in mind here is that I am an end-user, not the developer. So why should I be tied to the developer's idea of who should be able to do what?

This is why I've created Catalyst::Plugin::Authorization::Abilities. With this plugin, I do not check a user belongs to a certain role before allowing him to perform certain actions, but instead check that he has the ability to perform this action. This ability can either be given to this user by adding him to a role (i.e. the user group), or by explicitly granting him a specific action. So, for example, 'some_user' can be granted access to the action 'delete_posts' since he belongs to the role 'admins', and to the action 'clear_cache' because he was explicitly given this ability.

And who gives the abilities? Anyone who has the ability to do so, i.e. someone who already has the ability to create roles and/or grant abilities. I suppose I should make the "super-user" (the user that installed the application) "omnipotent" so he can do anything, but that's not yet implemented.

So using this plugin basically means that I, as the developer of the application, need to create controllers allowing the creation of user roles and the assigning of actions to roles/users.

Using the plugin resembles using the Authorization::Roles plugin (Note that they are not to be used in conjunction). Instead of using $c->assert_user_role('admins'), I would use $c->assert_user_ability('do_something').

The plugin also requires the presence of several database tables: actions, roles, user_roles and user_actions. The 'actions' table hold all actions names and descriptions. The 'roles' table you already know. You also know the 'user_roles' table, which assigns a user to different roles. The 'user_actions' table is just the same, but assigns a user to different actions. Also, appropriate relationships need to be created in the schema for the Users table (the "user_roles" relationship and the "actions" relationship).

CREATE TABLE actions (
	id		INTEGER PRIMARY KEY,
	name		VARCHAR(128) NOT NULL,
	description	TEXT
);

CREATE TABLE roles (
	id		INTEGER PRIMARY KEY,
	name		VARCHAR(128) NOT NULL
);

CREATE TABLE user_roles (
	user_id		INTEGER NOT NULL,
	role_id		INTEGER NOT NULL,
	PRIMARY KEY (user_id, role_id)
);

CREATE TABLE role_actions (
	role_id		INTEGER NOT NULL,
	action_id	INTEGER NOT NULL,
	PRIMARY KEY (role_id, action_id)
);

CREATE TABLE user_actions (
	user_id		INTEGER NOT NULL,
	action_id	INTEGER NOT NULL,
	PRIMARY KEY (user_id, action_id)
);

Anyway, I'm attaching the plugin source to this message for you to look into. Please send me any comments/suggestions you have.

Thanks a lot,
Ido Perelmutter,
ido50 at yahoo.com


      
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Abilities.pm
Type: application/octet-stream
Size: 4505 bytes
Desc: not available
Url : http://lists.scsys.co.uk/pipermail/catalyst-dev/attachments/20090411/3d46ea18/Abilities.obj

More information about the Catalyst-dev mailing list