[Catalyst] Example app showing user to "item" authorization?
Jason Gottshall
jgottshall at capwiz.com
Wed Dec 10 14:11:19 GMT 2008
Tomas Doran wrote:
>
> On 9 Dec 2008, at 04:24, bill hauck wrote:
>> So my question: is there an example application or best practice on
>> how to implement a check on all calls to see if the user should be
>> accessing a specific item? I guess this would apply to any type of
>> system: blog, auction, cms, etc. -- they all require checking if a
>> specific user can edit a specific item.
>
> Assuming that you're using DBIx::Class, then the common way of doing
> this would be to use ResultSet chaining to limit things.
>
> What you do is add a 'limit_by_user' method (name is not important -
> just pick one and stick to it for your entire app) on each ResultSet
> class which you can pass $c->user, and have it return a filtered result
> set..
>
> You then arrange your controllers such that you will call this method on
> all resultsets before actually searching them. The simplest strategy is
> to just have code like:
>
> $c->stash->{project} =
> $c->model('DB::Project')->limit_by_user($c->user)->find_by_foo($foo);
>
> whenever you want to do a search.
You might try using DBIx::Class::Schema::RestrictWithObject to do this
more centrally. Essentially you put all your "limit_by_user" filters
into one central package, then you just pass $c->user to the schema at
the beginning of the request. RestrictWithObject will intercept all
searches and tack on the appropriate filter for the requested resultset
for you.
HTH,
Jason
--
Jason Gottshall
jgottshall at capwiz.com
More information about the Catalyst
mailing list