[Catalyst] ACL Plugin

[Jason Kohles]

On Nov 17, 2007, at 6:28 AM, jagdish eashwar wrote:

> Hi,
> I am in the process of writing a small catalyst application for
> handling leave applications in my office. It is my very first catalyst
> project. I have 3 roles in that application - user, section_head and
> dept_head. I want to restrict the sanctioning of leave to the
> section_head and the dept_head. For the purpose, I inserted the
> following lines in the myleave.pm file after __PACKAGE__->setup :
>
> #Authorization::ACL Rules
> __PACKAGE__->deny_access_unless(
> 	"/leave_ctl/sanction",
> 	[qw/section_head dept_head/],
> 	);
> It worked fine last evening, but since this morning access is being
> denied to both the section_head and dept_head. After several trials, I
> finally got it to work only when I specified just one role in the
> deny_access_unless clause. But if I specify the roles singly in two
> separate clauses, again access is denied to both the roles. What am I
> doing wrong?
>
Your rule only grants access to people with *both* roles, it probably  
worked last night because the application hadn't been restarted after  
the code was changed, so there was no access control.  If you want to  
allow with either role, you should do it with something like this  
instead:

__PACKAGE__->allow_access_if(
	"/leave_ctl/sanction",
	[ 'section_head' ],
);
__PACKAGE__->allow_access_if(
	"/leave_ctl/sanction",
	[ 'dept_head' ],
);
__PACKAGE__->deny_access( "/leave_ctl/sanction" );


I tend to simplify this with a function like the following:

sub allow_access_if_any {
	my ( $self, $path, @roles ) = @_;

	for ( @roles ) {
		$self->allow_access_if( $path, $_ );
	}
	$self->deny_access( $path );
}

Then you can just say:

__PACKAGE__->allow_access_if_any(
	"/leave_ctl/sanction",
	qw( section_head dept_head ),
);

-- 
Jason Kohles, RHCA RHCDS RHCE
email at jasonkohles.com - http://www.jasonkohles.com/
"A witty saying proves nothing."  -- Voltaire