[Catalyst] Catalyst::Plugin::Prototype: current state?
Charlie Garrison
garrison at zeta.org.au
Mon Mar 22 11:32:21 GMT 2010
Good evening,
On 22/03/10 at 3:09 AM -0700, Ovid
<publiustemp-catalyst at yahoo.com> wrote:
>Actually, after some discussion with the AutoCRUD author, it
>was generally agreed it would be safer to not integrate
>AutoCRUD directly into my app. A different app running on a
>different domain/subdomain and setting security at the server
>level seems more appropriate. This is because the author made
>it clear that authz was not a design concern and the internal
>URLs vary widely. Rather than risk opening up a hole to the
>database, separating this is much safer.
I'd really like to get more info on that. Looking at all the
actions for my app in the debug output on startup, I can see
lots of private and chained actions for AutoCRUD, and they are
all under the /autocrud path. What part of AutoCRUD is accessed
outside the /autocrud path?
AutoCRUD is very nice convenience, but it's not so nice to
warrant running a separate app for it. To me, *having* to run a
separate app indicates a design flaw. And if that's the case
then I need to look at alternate solutions. (Note, I'm not
against server-level auth, and I use it for other things outside
my app, but within the app.....)
Is the author on this list? Can you provide any further insight
into why authz for the /autocrud path is not sufficient? I'm
somewhat baffled that a tool which effectively allows full
access to the DBIC model doesn't at least consider authz as part
of the design.
Sorry, there's lots of red flags waving around and I'm not sure
whether I should pay attention to them.
Thanks,
Charlie
--
Ꮚ Charlie Garrison ♊ <garrison at zeta.org.au>
〠 PO Box 141, Windsor, NSW 2756, Australia
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
http://www.ietf.org/rfc/rfc1855.txt
More information about the Catalyst
mailing list