<br><br><div class="gmail_quote">On Wed, Sep 30, 2009 at 5:23 AM, Derek Wueppelmann <span dir="ltr"><<a href="mailto:dwueppel@gmail.com">dwueppel@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Tue, 2009-09-29 at 14:39 +0200, Aristotle Pagaltzis wrote:<br>
</div><div class="im">> * monkey <<a href="mailto:dwueppel@gmail.com">dwueppel@gmail.com</a>> [2009-09-29 14:35]:<br>
> > Is there another way to do the above without having to write<br>
> > the auth handling at the top of every method used to display<br>
> > pages?<br>
><br>
> Chained dispatch. Do an auth check early in the chain, then the<br>
> actions down the chain don’t need to do it.<br>
<br>
</div>So I found a different way to do this. It's pretty close to my original<br>
method I had mentioned, but instead of calling $self->auth_required I<br>
changed it to:<br>
<br>
$c->action->class->auth_required()<br>
<br>
Which has the desired effect. Now all I need to do is if a controller<br>
does not require authentication in order to be viewed I override the<br>
auth_required method in that controller to return 0 instead of the<br>
default 1.<br></blockquote><div><br>Does that approach provide you with enough fine-grained access control?<br>I suppose you can check the action name in auth_required().<br><br>There are a number of existing modules to consider, for example:<br>
<br>Catalyst::Action::Role::ACL<br>Catalyst::Plugin::Authorization::ACL<br><br>I've also used an approach where I check for roles in each controller's auto method, and I've also used method attributes to indicate the access level required for each action (which has the benefit where I can require *every* dispatched action to have an access level specified or be blocked).<br>
<br>I also do not detach to a login page, rather I always redirect. Not sure I remember the details of that choice, but one reason might have been I didn't want a URL for one resource to return a 200 yet not return the response for that URL and instead return a login form.<br>
<br></div></div><br clear="all"><br>-- <br>Bill Moseley<br><a href="mailto:moseley@hank.org">moseley@hank.org</a><br>