[Catalyst] Example app showing user to "item" authorization?

Jason Gottshall jgottshall at capwiz.com
Wed Dec 10 14:28:19 GMT 2008

Jason Gottshall wrote:
> Tomas Doran wrote:
>> On 9 Dec 2008, at 04:24, bill hauck wrote:
>>> So my question: is there an example application or best practice on 
>>> how to implement a check on all calls to see if the user should be 
>>> accessing a specific item?  I guess this would apply to any type of 
>>> system: blog, auction, cms, etc. -- they all require checking if a 
>>> specific user can edit a specific item.
>> Assuming that you're using DBIx::Class, then the common way of doing 
>> this would be to use ResultSet chaining to limit things.
>> What you do is add a 'limit_by_user' method (name is not important - 
>> just pick one and stick to it for your entire app) on each ResultSet 
>> class which you can pass $c->user, and have it return a filtered 
>> result set..
>> You then arrange your controllers such that you will call this method 
>> on all resultsets before actually searching them. The simplest 
>> strategy is to just have code like:
>> $c->stash->{project} = 
>> $c->model('DB::Project')->limit_by_user($c->user)->find_by_foo($foo);
>> whenever you want to do a search.
> You might try using DBIx::Class::Schema::RestrictWithObject to do this 
> more centrally. Essentially you put all your "limit_by_user" filters 
> into one central package, then you just pass $c->user to the schema at 
> the beginning of the request. RestrictWithObject will intercept all 
> searches and tack on the appropriate filter for the requested resultset 
> for you.

Sorry, I should have given an example. Have a look at mst's great 
catalyst talk; the RestrictWithObject stuff starts at slide 74:

Jason Gottshall
jgottshall at capwiz.com

More information about the Catalyst mailing list