[Catalyst] Paradigm question: how to use ResultSet level security based on $c->user?

Eden Cardim edencardim at gmail.com
Tue Oct 18 10:00:38 GMT 2011 

>>>>> "will" == will trillich <will.trillich at serensoft.com> writes:

    will> Question: when a user logs in to our Catalyst app, he/she
    will> should only see the items he/she is allowed to see. But the
    will> only way we can figure how to do this is to pass $c->user
    will> either to the ResultSet methods or to the FormHandler methods,
    will> making the app more and more interdependent... Is there a
    will> better paradigm in the context of a Catalyst app?

That is perfectly fine as long as you define an API for user and stick
to it so you can replace it via duck typing afterwards.

    will> Right now we're working this via DBIC ResultSet like so:

    will> package Incident::Schema::DB::ResultSet::Incident;
    will> use base 'DBIx::Class::ResultSet';

    will> sub security {
    will>     my $rs      = shift;
    will>     my $user    = shift;

    will>     $user = $user->obj
    will>         if ( $user->can('obj') );
    will>     if ( $user->is_admin ) {
    will>         return $rs; # everything is visible to admins
    will>     }

    will>     my %visible_teams = map { $_ => 1 }
    will>         $user->corp_team_ids; # method from Incident::User schema
    will>     $rs = $rs->search(
    will>         { 'me.team' =>
    will>             { -in => [ keys %visible_teams ] }
    will>         },
    will>         { order_by => ['created'] }
    will>     );

    will>     return $rs;
    will> }

    will> Then...

    will> package Incident::Web::Controller::Ticket;
    will> BEGIN { extends 'Catalyst::Controller'; }

    will> sub base : Chained('/auth') PathPart('ticket') CaptureArgs(0) {
    will>     my ( $self, $c ) = @_;
    will>     my $rs = $c->model('Incident::Ticket')->security( $c->user );
    will>     $c->stash( incident_rs => $rs );
    will> }

    will> Is this Kosher? In this context it's a DBIC resultset
    will> depending on another DBIC object, so it may not be as big an
    will> issue as, say, when we have HTML::FormHandler popup menus that
    will> should only show the user options based on the user's role
    will> and/or organization.

    will> Is there a canonical way to approach this both in ResultSets
    will> and in FormHandler forms?

You might want to look at Catalyst::TraitFor::Model::DBIC::Schema::WithCurrentUser

-- 
  Eden Cardim
  Code Monkey                    http://www.shadowcat.co.uk/catalyst/
 Shadowcat Systems Ltd.  Want a managed development or deployment platform?
http://blog.edencardim.com/            http://www.shadowcat.co.uk/servers/
http://twitter.com/#!/edenc

More information about the Catalyst mailing list