[Catalyst] Re: fine Authentication
Vlad Bazon
vlad.bazon at gmail.com
Thu Aug 4 17:14:14 CEST 2005
Of course! You are always right ...
On the other hand, in order to avoid to <manually> modify the data of
a other user - a solution could be the (banal) extension of the
controller code with:
sub do_edit {
my ( $self, $c ) = @_;
# the "extension" for prevent GET ("manually") requests
if ($c->req->method eq "GET") {
$c->req->action(undef);
$c->stash->{message}="aaa"; # You must not modify the others' data!
return $c->forward('/login/login');
}
.....
Am I wrong?
Vlad
On 8/3/05, David Storrs <dstorrs at dstorrs.com> wrote:
> > On 7/30/05, Vlad Bazon <vlad.bazon at gmail.com> wrote:
> >
> >> I do this in "list.html" (and not in a controller ...?!) - like:
> >> ......
> >> <td>
> >> [% IF (column == 'nume') and ((c.session.user_id == object.$primary)
> >> or (c.session.user_id == object.di_id.id)) %]
> >> <a href= [% c.req.base _ table_name _ "/edit/" _ object.
> >> $primary %] >
> >> [% END %]
> >> [% object.$column %]
> >> </td>
> >> ...... (so, only "user_id" has a "edit/7" action at disposition.)
> >>
> >> probably, it is not a good ideea (because the principle of the
> >> separation M/C/V) - but it is so practical ...
>
> On Aug 3, 2005, at 2:30 AM, Vlad Bazon wrote:
>
> > A very bad solution!
> > <Any> user could type "http://.../edit/7" manually!
> > I'am sorry ...
>
>
> Actually, it's a good solution--just not to the problem of
> authentication. This isn't an authentication technique, this is a
> user-interface technique: it helps to present the user with a
> simple, uncluttered interface that includes only the elements they
> need/can use. Authentication should be done via checking credentials,
> as you imply above.
>
> --Dks
>
> _______________________________________________
> Catalyst mailing list
> Catalyst at lists.rawmode.org
> http://lists.rawmode.org/mailman/listinfo/catalyst
>
More information about the Catalyst
mailing list