[Catalyst] Re: Beginner Question: Controller Layout

[kevin montuori]

>>>>> "bh" == bill hauck <wbhauck at yahoo.com> writes:


 bh> For this site how would you control which user/band edits which
 bh> scheduled events, uploads pictures, etc.?  Do you have each
 bh> function check the database?  Do you write one function for each
 bh> type of "item" and simply call it?

for granular authorizations like this i'd have my controller mix-in a
base class which would provide functions like:

  $self->can_edit_widget($widget_id)

then the can_edit_widget can do whatever sorts of authz necessary.
usually this means that it'll return true if the $c->user is in some
sort of administrator role or has a relationship to the widget in
question that allows for the action.

this method might be something like:

  sub can_edit_widget {
    my ($self, $widget_id) = @_;
    my $c = $self->context;

    return 1 if $c->check_any_user_role($c->user, 'administrator');
    return 1 if $c->model('MyApp::Widgets')->is_owner($c->user, $widget_id);
    
    return;
  }

i'm not sure that this could be considered "best practice" or even
recommended, but it does allow for a mix of role based and app
specific authz.  by doing the work in a mix-in class the authz logic
is easily changed (or audited) independently of what the controller is
doing.  it's also nice for controllers to ask relevant questions like
"can_edit_widget" rather than "is_owner" ... if nothing else the guy
who maintains your code next will understand why you wanted to know.


k.

-- 
kevin montuori
montuori at gmail.com