[Catalyst] catalyst-Plugin-authentication-cdbi
Jules Bean
jules at jellybean.co.uk
Fri Nov 18 10:08:49 CET 2005
Will Smith wrote:
> - When a user logins, he/she allowed to see his/her own objects, let say
> objectid = 1. So when doing add/edit...the objectid=1 appears on the
> adress bar. What if the person type objectid=2 to do edit/add/delete
> ...the user is led to the pages of objectid=2. How do I prevent this? I
> think about hiding the trail on the address bar, but that's not the way.
You're quite right that altering the URL doesn't fundamentally solve the
problem.
Your view/edit/add/delete pages will just have to check that the object
does really belong to the user in question. (If each user only had one
object, then of course you wouldn't need to know the ID of it at all,
you could just work it out from the user. That's not a general solution).
>
> - after login, the userid will be used as a global variable that allows
> the user access to his/her own objects, where is the right place that I
> declare this variable so that I can access it anywhere? Is in the config
> part?
You put it in the stash, probably:
$c->stash->{userobj} = ...
Or possibly you have the userid in the session already and it's enough
to just use that.
> - Using session, does this mean that when the same user login on another
> machine, the previous session will be killed?
As far as I know, this is not the standard behaviour of the session
plugins. There might be times when you would want this, and it would be
possible, but it's not how they currently work.
Jules
More information about the Catalyst
mailing list