[Catalyst] Example app showing user to "item" authorization?
Jason Gottshall
jgottshall at capwiz.com
Wed Dec 10 14:28:19 GMT 2008
Jason Gottshall wrote:
> Tomas Doran wrote:
>>
>> On 9 Dec 2008, at 04:24, bill hauck wrote:
>>> So my question: is there an example application or best practice on
>>> how to implement a check on all calls to see if the user should be
>>> accessing a specific item? I guess this would apply to any type of
>>> system: blog, auction, cms, etc. -- they all require checking if a
>>> specific user can edit a specific item.
>>
>> Assuming that you're using DBIx::Class, then the common way of doing
>> this would be to use ResultSet chaining to limit things.
>>
>> What you do is add a 'limit_by_user' method (name is not important -
>> just pick one and stick to it for your entire app) on each ResultSet
>> class which you can pass $c->user, and have it return a filtered
>> result set..
>>
>> You then arrange your controllers such that you will call this method
>> on all resultsets before actually searching them. The simplest
>> strategy is to just have code like:
>>
>> $c->stash->{project} =
>> $c->model('DB::Project')->limit_by_user($c->user)->find_by_foo($foo);
>>
>> whenever you want to do a search.
>
> You might try using DBIx::Class::Schema::RestrictWithObject to do this
> more centrally. Essentially you put all your "limit_by_user" filters
> into one central package, then you just pass $c->user to the schema at
> the beginning of the request. RestrictWithObject will intercept all
> searches and tack on the appropriate filter for the requested resultset
> for you.
Sorry, I should have given an example. Have a look at mst's great
catalyst talk; the RestrictWithObject stuff starts at slide 74:
http://www.shadowcat.co.uk/catalyst/-talks/oscon/crucible.xul
--
Jason Gottshall
jgottshall at capwiz.com
More information about the Catalyst
mailing list