[Catalyst] catalyst-Plugin-authentication-cdbi

Thu Nov 17 12:04:10 CET 2005

On Wed, Nov 16, 2005 at 10:02:52 -0800, Will Smith wrote:
> Hi,
>   I use this mod to force users login to myapp. The sample code works fine:
>    
>   sub login : Path('/login') { 
>     my ( $self, $c ) = @_;   
>     $c->stash->{template} = "login.tt"; 
>     if ($c->req->params->{email}) { 
>         $c->session_login( 
>                           $c->req->params->{email}, 
>                           $c->req->params->{passphrase} 
>                          ); 
>         $c->res->redirect( 'home' ) if $c->req->{user}; 
>     } 
> } 
>  
>   ---------
>   I have users identified by userid, and all other objects are linked to this userid (contract, bill ....). The questions are:
>    
>   - When a user logins, he/she allowed to see his/her own objects, let say objectid = 1. So when doing add/edit...the objectid=1 appears on the adress bar. What if the person type objectid=2 to do edit/add/delete ...the user is led to the pages of objectid=2.  How do I prevent this? I think about hiding the trail on the address bar, but that's not the way.

You're right, it isn't the way =)

	if ( $obj->owner == $c->user ) {

	}

And then make sure that every obj has_a owner, which is a
relationship to the Users table.

This is the simplest way, i think.

You can also use the model to enforce this - make every object a
YourApp::Model::CDBI::OwnedObject, and put in a little check -
whenever the object is retrieved from the database, use caller till
you find an action, and then checks that the first arg ($c) has a
user, and the user is the owner.

This sort of breaks encapsulation, but what the hey.

http://search.cpan.org/perldoc?Devel%3A%3ACaller
http://search.cpan.org/perldoc?Devel%3A%3ACaller%3A%3APerl

>   - after login, the userid will be used as a global variable that allows the user access to his/her own objects, where is the right place that I declare this variable so that I can access it anywhere? Is in the config part?

$c->user (new auth) or $c->req->{user} (old auth) contains this
data. I don't remember how it works in the old scheme, but under new
auth this is an object.

>   - Using session, does this mean that when the same user login on another machine, the previous session will be killed?

No, the session data can simply contain the user ID that was used
for login.

If you need this you need to store the session ID in the user, as
well as the cookie, and add a check that ensures that

	$c->user->session_id eq $c->sessionid
		or $c->delete_session("already logged in");

-- 
 ()  Yuval Kogman <nothingmuch at woobling.org> 0xEBD27418  perl hacker &
 /\  kung foo master: /me sushi-spin-kicks : neeyah!!!!!!!!!!!!!!!!!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20051117/ae032e3c/attachment.pgp