Question: when a user logs in to our Catalyst app, he/she should only see the items he/she is allowed to see. But the only way we can figure how to do this is to pass $c->user either to the ResultSet methods or to the FormHandler methods, making the app more and more interdependent... Is there a better paradigm in the context of a Catalyst app?<div>
<br></div><div>Right now we're working this via DBIC ResultSet like so:<div><br></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666">package Incident::Schema::DB::ResultSet::Incident;</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666">use base 'DBIx::Class::ResultSet';</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"><br>
</font></div><div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666">sub <b>security</b> {</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> my $rs = shift;</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> my <span class="Apple-style-span" style="background-color: rgb(255, 255, 204);">$user</span> = shift;</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"><br>
</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> $user = $user->obj</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> if ( $user->can('obj') );</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> if ( $user->is_admin ) {</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> return $rs; # everything is visible to admins</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> }</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"><br></font></div><div>
<font class="Apple-style-span" face="'courier new', monospace" color="#336666"> my %visible_teams = map { $_ => 1 }</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> $user->corp_team_ids; # method from Incident::User schema</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> $rs = $rs->search(</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> { 'me.team' =></font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> { -in => [ keys %visible_teams ] }</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> },</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> { order_by => ['created'] }</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> );</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"><br></font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> return $rs;</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666">}</font></div><div><br></div><div>Then...</div><div><br></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666">package Incident::Web::Controller::Ticket;</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666">BEGIN { extends 'Catalyst::Controller'; }</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"><br>
</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666">sub base : Chained('/auth') PathPart('ticket') CaptureArgs(0) {</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> my ( $self, $c ) = @_;</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> my $rs = $c->model('Incident::Ticket')->security( <b style="background-color: rgb(255, 255, 204);">$c->user</b> );</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace" color="#336666"> $c->stash( incident_rs => $rs );</font></div><div><font class="Apple-style-span" face="'courier new', monospace" color="#336666">}</font></div>
<div><br></div><div>Is this Kosher? In this context it's a DBIC resultset depending on another DBIC object, so it may not be as big an issue as, say, when we have HTML::FormHandler popup menus that should only show the user options based on the user's role and/or organization.</div>
<div><br></div><div>Is there a canonical way to approach this both in ResultSets and in FormHandler forms?</div><div><br></div>-- <br>"The very nucleus of Character: to do what you know you should do, when you don't want to do it." Stephen Covey<br>
</div></div>