[Catalyst] Catalyst::Plugin::Prototype: current state?

Charlie Garrison garrison at zeta.org.au
Mon Mar 22 11:32:21 GMT 2010

Good evening,

On 22/03/10 at 3:09 AM -0700, Ovid 
<publiustemp-catalyst at yahoo.com> wrote:

>Actually, after some discussion with the AutoCRUD author, it 
>was generally agreed it would be safer to not integrate 
>AutoCRUD directly into my app.  A different app running on a 
>different domain/subdomain and setting security at the server 
>level seems more appropriate. This is because the author made 
>it clear that authz was not a design concern and the internal 
>URLs vary widely.  Rather than risk opening up a hole to the 
>database, separating this is much safer.

I'd really like to get more info on that. Looking at all the 
actions for my app in the debug output on startup, I can see 
lots of private and chained actions for AutoCRUD, and they are 
all under the /autocrud path. What part of AutoCRUD is accessed 
outside the /autocrud path?

AutoCRUD is very nice convenience, but it's not so nice to 
warrant running a separate app for it. To me, *having* to run a 
separate app indicates a design flaw. And if that's the case 
then I need to look at alternate solutions. (Note, I'm not 
against server-level auth, and I use it for other things outside 
my app, but within the app.....)

Is the author on this list? Can you provide any further insight 
into why authz for the /autocrud path is not sufficient? I'm 
somewhat baffled that a tool which effectively allows full 
access to the DBIC model doesn't at least consider authz as part 
of the design.

Sorry, there's lots of red flags waving around and I'm not sure 
whether I should pay attention to them.


    Ꮚ Charlie Garrison ♊ <garrison at zeta.org.au>
    〠 PO Box 141, Windsor, NSW 2756, Australia

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

More information about the Catalyst mailing list