[Catalyst] Authorization ACL: future plans?

ivorw m9tn-oh4c at xemaps.com
Fri Jun 6 15:13:21 BST 2008

Hi guys,

(Yuval please note: this concerns one of your modules)

Are there any plans afoot to build on
Catalyst::Plugin::Authorization::ACL? I have a requirement for a couple
of enhancements, and I'd like to sound out the list before jumping in
and coding.

1. I'd quite like the idea of a generic "resource", that users have
access to, rather than just a controller method. The resource could be
or correspond to a file on the server's fs, a wiki page, a diary
appointment, etc.

The resource would have a set of permissions, controlled through the model:
 * See   (whether this resource actually appears at all)
 * Read (Are the contents of the resource visible/executable?)
 * Modify
 * Delete
 * Grant (who can change the permissions for this resource)

The resource also has an owner (user) and a group (role).
Each of the permissions above can be set to one of 'owner', 'group',
'world' or none.

Proposed module name: Catalyst::Plugin::Authorization::ACL::Resource

2. Full blown access control lists

For more sophisticated requirements, we have an actual list:

Include: list of entities
Exclude: list of entities

each entity can be one of the following:
 * A user
 * 'owner'
 * A role
 * 'group'
 * An ACL (i.e. nesting)

This enhances option 1 above by allowing the permission to be an ACL
besides 'owner', 'group', 'world' or none.

Proposed module name: Catalyst::Plugin::Authorization::ACL::Full

What do people think? Feedback please.

By the way in case you are wondering, I am looking to write a CMS that
sits on top of Catalyst.


More information about the Catalyst mailing list