[Catalyst] Example app showing user to "item" authorization?

Tomas Doran bobtfish at bobtfish.net
Wed Dec 10 00:07:25 GMT 2008 

On 9 Dec 2008, at 04:24, bill hauck wrote:
> So my question: is there an example application or best practice on  
> how to implement a check on all calls to see if the user should be  
> accessing a specific item?  I guess this would apply to any type of  
> system: blog, auction, cms, etc. -- they all require checking if a  
> specific user can edit a specific item.

Assuming that you're using DBIx::Class, then the common way of doing  
this would be to use ResultSet chaining to limit things.

What you do is add a 'limit_by_user' method (name is not important -  
just pick one and stick to it for your entire app) on each ResultSet  
class which you can pass $c->user, and have it return a filtered  
result set..

You then arrange your controllers such that you will call this method  
on all resultsets before actually searching them. The simplest  
strategy is to just have code like:

$c->stash->{project} = $c->model('DB::Project')->limit_by_user($c- 
 >user)->find_by_foo($foo);

whenever you want to do a search.

This works well for simple cases. In more complex cases you can then  
use any technique available to have the user filtering logic in one  
place (and resultSet agnostic), and have it called from anywhere it  
is needed - such as explicitly forwarding to an action to do the  
filtering, or inheritance of a common path-part in all your  
controllers (using Chained dispatch), or having a final set of  
filtering before passing things to your templates in an 'end' action..

The trick is to use the fact you can say, $rs = $schema->resultSet 
('Project'); $rs = $rs->search( # limit by criteria 1 ); $rs = $rs- 
 >search( # limit by criteria 2 ); etc, as many times as you need to  
build up a complex search, and adding a common method to your  
resultSet classes so that you can do the user filtering in one place.

Which technique to actually use to call into this common user- 
filtering code is very much up to you (and varies depending on how  
you have built your application / what type of app it is / what the  
URL structure is like, etc), but most people would recommend looking  
at Chained actions as they tend to naturally make this sort of thing  
easy.

I hope that makes enough sense for you to have some ideas about where  
to start without confusing you utterly!

Cheers
t0m

More information about the Catalyst mailing list