[Catalyst] Re: fine Authentication
Wade.Stuart at fallon.com
Wade.Stuart at fallon.com
Thu Aug 4 19:09:43 CEST 2005
I usually use two levels of auth, the outer sets the user/group
information and then the database has table level auth links to define what
type of table or group can access or mod info.
I check the action of each step with the privilege tables and then bounce
back errors or forward if the user is not allowed to view or mod the data.
On larger more complex apps I write a bunch of classes that do this, on
smaller apps I tend to put it in each action. Putting any of this logic
(besides the obvious UI clean look and feel stuff) in the templates is a
waste of time.
-Wade
Vlad Bazon
<vlad.bazon at gmail
.com> To
Sent by: The elegant MVC web framework
catalyst-bounces@ <catalyst at lists.rawmode.org>
lists.rawmode.org cc
Subject
08/04/05 10:14 AM Re: [Catalyst] Re: fine
Authentication
Please respond to
Vlad Bazon
<vlad.bazon at gmail
.com>; Please
respond to
The elegant MVC
web framework
<catalyst at lists.r
awmode.org>
Of course! You are always right ...
On the other hand, in order to avoid to <manually> modify the data of
a other user - a solution could be the (banal) extension of the
controller code with:
sub do_edit {
my ( $self, $c ) = @_;
# the "extension" for prevent GET ("manually") requests
if ($c->req->method eq "GET") {
$c->req->action(undef);
$c->stash->{message}="aaa"; # You must not modify the others'
data!
return $c->forward('/login/login');
}
.....
Am I wrong?
Vlad
On 8/3/05, David Storrs <dstorrs at dstorrs.com> wrote:
> > On 7/30/05, Vlad Bazon <vlad.bazon at gmail.com> wrote:
> >
> >> I do this in "list.html" (and not in a controller ...?!) - like:
> >> ......
> >> <td>
> >> [% IF (column == 'nume') and ((c.session.user_id == object.$primary)
> >> or (c.session.user_id == object.di_id.id)) %]
> >> <a href= [% c.req.base _ table_name _ "/edit/" _ object.
> >> $primary %] >
> >> [% END %]
> >> [% object.$column %]
> >> </td>
> >> ...... (so, only "user_id" has a "edit/7" action at disposition.)
> >>
> >> probably, it is not a good ideea (because the principle of the
> >> separation M/C/V) - but it is so practical ...
>
> On Aug 3, 2005, at 2:30 AM, Vlad Bazon wrote:
>
> > A very bad solution!
> > <Any> user could type "http://.../edit/7" manually!
> > I'am sorry ...
>
>
> Actually, it's a good solution--just not to the problem of
> authentication. This isn't an authentication technique, this is a
> user-interface technique: it helps to present the user with a
> simple, uncluttered interface that includes only the elements they
> need/can use. Authentication should be done via checking credentials,
> as you imply above.
>
> --Dks
>
> _______________________________________________
> Catalyst mailing list
> Catalyst at lists.rawmode.org
> http://lists.rawmode.org/mailman/listinfo/catalyst
>
_______________________________________________
Catalyst mailing list
Catalyst at lists.rawmode.org
http://lists.rawmode.org/mailman/listinfo/catalyst
More information about the Catalyst
mailing list