[Catalyst] ACL Plugin

jagdish eashwar jagdish.eashwar at gmail.com
Sun Nov 18 16:20:39 GMT 2007 

On Nov 18, 2007 3:15 AM, Jason Kohles <email at jasonkohles.com> wrote:
>
> On Nov 17, 2007, at 6:28 AM, jagdish eashwar wrote:
>
> > Hi,
> > I am in the process of writing a small catalyst application for
> > handling leave applications in my office. It is my very first catalyst
> > project. I have 3 roles in that application - user, section_head and
> > dept_head. I want to restrict the sanctioning of leave to the
> > section_head and the dept_head. For the purpose, I inserted the
> > following lines in the myleave.pm file after __PACKAGE__->setup :
> >
> > #Authorization::ACL Rules
> > __PACKAGE__->deny_access_unless(
> >       "/leave_ctl/sanction",
> >       [qw/section_head dept_head/],
> >       );
> > It worked fine last evening, but since this morning access is being
> > denied to both the section_head and dept_head. After several trials, I
> > finally got it to work only when I specified just one role in the
> > deny_access_unless clause. But if I specify the roles singly in two
> > separate clauses, again access is denied to both the roles. What am I
> > doing wrong?
> >
> Your rule only grants access to people with *both* roles, it probably
> worked last night because the application hadn't been restarted after
> the code was changed, so there was no access control.  If you want to
> allow with either role, you should do it with something like this
> instead:
>
> __PACKAGE__->allow_access_if(
>         "/leave_ctl/sanction",
>         [ 'section_head' ],
> );
> __PACKAGE__->allow_access_if(
>         "/leave_ctl/sanction",
>         [ 'dept_head' ],
> );
> __PACKAGE__->deny_access( "/leave_ctl/sanction" );
>
>
> I tend to simplify this with a function like the following:
>
> sub allow_access_if_any {
>         my ( $self, $path, @roles ) = @_;
>
>         for ( @roles ) {
>                 $self->allow_access_if( $path, $_ );
>         }
>         $self->deny_access( $path );
> }
>
> Then you can just say:
>
> __PACKAGE__->allow_access_if_any(
>         "/leave_ctl/sanction",
>         qw( section_head dept_head ),
> );
>
> --
> Jason Kohles, RHCA RHCDS RHCE
> email at jasonkohles.com - http://www.jasonkohles.com/
> "A witty saying proves nothing."  -- Voltaire
>
>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/
>

Hi Jason Kohles, Matt S Trout and Matt Rosin,

Thanks very much for responding. For allowing access to
/leave_ctl/sanction to both section_head and dept_head,
'allow_access_if' works, but not 'deny_access_unless'. I was slightly
misled by the example in the catalyst tutorial which says,

Begin quote

Open lib/MyApp.pm in your editor and add the following BELOW the
__PACKAGE__->setup; statement:

    # Authorization::ACL Rules
    __PACKAGE__->deny_access_unless(
            "/books/form_create",
            [qw/admin/],
        );
    __PACKAGE__->deny_access_unless(
            "/books/form_create_do",
            [qw/admin/],
        );
    __PACKAGE__->deny_access_unless(
            "/books/delete",
            [qw/user admin/],
        );

Each of the three statements above comprises an ACL plugin "rule". The
first two rules only allow admin-level users to create new books using
the form (both the form itself and the data submission logic are
protected). The third statement allows both users and admins to delete
books.

End quote

See the last line which explains the third ACL rule above. Because of
your writing in, I now know that's wrong. But in my ignorance, I was
reading the third rule as 'deny access to /books/delete unless the
user is either a user or an admin'. It should be correctly read as
'deny access to /books/delete unless the user is both a user and an
admin'. In other words, the roles specified in the ACL rule are joined
by AND and not OR.

I later found this stated very clearly in the link to
Catalyst::Plugin::Authorization::ACL given in the tutorial:

Begin quote
If allow_access_if is used, the presence of all the roles will
immediately permit access, and if deny_access_unless is used the lack
of any of the roles will immediately deny access.
End quote

Regards,

Jagdish Eashwar

More information about the Catalyst mailing list