[Dbix-class] Enforcing read-only objects

[Bill Moseley]

I'm looking for your suggestions on enforcing access policy within DBIC:

In my Music database I have a hierarchy of objects like this:

notes -> tracks -> cds -> artists -> label -> user_access -> users


The user_access table links users with a label.  When I fetch an object from
the database I join to the users table to make sure the user has access to
the label.  If no row in user_access then the user has no access at all.

Now, the user_access table also has a read_only flag.  My plan here is when
I join to user_access to add a column to every object called "is_readonly"
so that code can look at any row object and determine if it's read-only or
not.

But, I also want to enforce the read-only state in the model.  And this is
where I need some ideas.

One idea would be to alter the schema so there's no storage associated with
a read-only object (so calling ->update would die).  I'm not sure how to
implement that.

Another idea is to override update() and delete() and look for the
is_readonly flag and abort the "is_readonly" flag exists on the object.

Both of those don't work with create, though.  So, I'm wondering about
adding a call before create() that calls can_create() which would be a class
method that would know how to test a given create.  For example, trying to
insert a new note, the "Note" class would test that the track id passed to
create() can be joined to the user via the user_access table and that the
user_access.read_only flag is false.

(Yes, the "current_user" is available to DBIC as it's stored in the schema
object.)

Other suggestions?


Thanks,


-- =

Bill Moseley
moseley at hank.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/dbix-class/attachments/20100811/c39=
6aa3e/attachment.htm