[Catalyst] another variation on auth -- any gotchas?

[Phil Mitchell]

I've just added an authentication layer to my app, and since I did it
in a slightly different way from the docs or other posts on this list
I wanted to have other eyeballs to make sure there are no gotchas.

Btw, kudos to Cat::Auth and catalyst in general for making session
login/logout so easy. Sweet!

The standard part of what I did was add an auth check to MyApp::begin.
But the issue that arises is how to cleanly exempt certain actions
from the auth check. (EG., in my case, I want page views exempt, but
edits protected.) Yes, you can have a giant switch statement, but
that's not very maintainable. Here's what I did:

I created a MyApp::C::Pub controller which overrides begin() to
prevent the auth check. Then I have a separate controller hierarchy,
MyApp::C::Pub::Lib, MyApp::C::Pub::Page, etc. which automatically
"inherits" this override. This makes all /pub/anything actions exempt
from authentication. (Somewhat counterintuitively, these
sub-controllers don't actually subclass MyApp::C::Pub. They get the
behavior automagically.)

Any loopholes in this?

The one loophole that I see is that forwards can unintentionally
bypass the auth check. But that's true with the switch statement
approach, too. As was suggested earlier, you really need to override
catalyst internals and put your check there to avoid that..

I wonder if anyone thinks it would be cool to have another sub
attribute that could be applied to actions -- something like
'Protected', which automatically called an auth check before the
action?

-- 
==========================
2People Blog: http://2-people.blogspot.com/
2People site: http://www.2people.org