[Catalyst] Restricting access to the model

Will Hawes info at whawes.co.uk
Mon Jul 3 15:13:56 CEST 2006


Andreas Marienborg wrote:
> If the Order has a user field, why not just relationships?
> 
> package My::Model::User;
> 
> __PACKAGE__->has_many(orders and so on);
> 
> then you always do $user->orders to get a users orders for instance.
> 
> If you need it for more complex things, I would say it belongs in the  
> model.

"Restricting access" was probably not the best term to use - it's not so 
much "which orders belong to user X?" that I'm trying to answer (I 
already use the approach you describe for that).

It's "can user X access this order?". IMO it does seem to fit better in 
the model - I just can't see for the moment how I could implement 
different access rules in different apps if I'm using common model 
classes. That's what makes me wonder about putting this in a controller 
instead.

> 
> 
> andreas
> 
> On 3. jul. 2006, at 12.54, Will Hawes wrote:
> 
>> I need to restrict access to certain model classes based on which user
>> is logged in to my app. For example, users should not be able to view
>> orders belonging to other users. Possibly due to thinking about it too
>> much, I can't decide whether it makes sense to put this  
>> functionality in
>> the Controller or Model layer of the app. My initial thought was to  
>> add
>> subs to model classes something like:
>>
>> package My::Model::Order;
>>
>> sub can_view {
>>    my ( $self, $user ) = @_;
>>    if( $user->id ne $self->user->id ) {
>>      return 0;
>>    }
>>    return 1;
>> }
>>
>> The thing I don't particularly like about this is that if I want to  
>> use
>> the same functionality in another app sharing this model (fairly  
>> likely)
>> then they will have to agree about the specific rules for who can  
>> access
>> which model classes, which may not always be desirable.
>>
>> Instead I thought about using a dedicated controller class to add the
>> aforementioned subs to model classes instead, i.e. only for that
>> controller's application. This seems to make sense but I'm not sure if
>> I've overlooked any problems it may introduce.
>>
>> I imagine similar functionality must be a reasonably common  
>> requirement,
>> so my question is, how have others implemented it?
>>
>> _______________________________________________
>> List: Catalyst at lists.rawmode.org
>> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
>> Searchable archive: http://www.mail-archive.com/ 
>> catalyst at lists.rawmode.org/
>> Dev site: http://dev.catalyst.perl.org/
> 
> 
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/




More information about the Catalyst mailing list