[Catalyst] "Dynamic" authorization
gunnarstrand at yahoo.com
Thu Jul 9 18:12:06 GMT 2009
Tomas Doran skrev:
> Gunnar Strand wrote:
>> The table would then be consulted whenever a resource is accessed,
>> and the lookup would be put in a central place, if possible. I've
>> implemented a ":Restricted" action which handles authentication, and
>> that is where I would try to add the authorization as well. One of
>> the tricky things would be to have a generic way to create the
>> resource identifier from request input.
> I think that for the complexity of what you're doing with auth, then
> the authorization should be in the model layer.
> You should have methods on the model layer which take some form of
> 'user', and restrict what can be retrieved by that user. This is
> domain logic, so you need to build it into the domain.
Thanks, Tom. You are of course correct. Moving authorization to the data
model will make it harder to show only authorized functions in the
presentation layer, though. I'll have to think about this, but it seems
that it is a fairly early design decision if the authorization should be
in the control- or model part. And perhaps using ACL or groups will suffice.
More information about the Catalyst