[Catalyst] Roles and Permissions -- Controller vs View

will trillich will.trillich at serensoft.com
Tue Dec 28 17:35:42 GMT 2010

In our web app we have lots of features that are predicated upon the user's
role. For example, a "show" link is available to everyone, but an "edit"
link is only available to managers.

Is there a best-practices approach for dealing with this?

There are two places where user-role is significant -- controller and view.
In the controller we use chaining to bounce a user out of an edit method if
they don't have the right role. And in the view we use lots of [% IF
c.user.is_mgr %] logic to determine whether or not to display the links.
(Using user-friendly urls like /thingy/27/edit makes the URL easy to guess,
so checking inside the controller is a good idea.)

So right now we're checking for the same thing in the view that we're
checking for in the controller. The more features that get added that
require role-checking, the more hairy this gets.

Is there a way to get all this rolled up into one place? Or at least make
the view a bit more elegant?

-- =

Failure is not important. How you overcome it, is.
-- Nick Vujicic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20101228/41f84=

More information about the Catalyst mailing list