[Dbix-class] Read only resultsets
Bill Moseley
moseley at hank.org
Tue Aug 24 15:32:01 GMT 2010
On Wed, Aug 11, 2010 at 4:08 PM, Dan Horne <dan.horne at redbone.co.nz> wrote:
> The recent discussion on read only objects has got me wondering. Say one
> has an app which basically sends result sets to TT templates. What stops a
> malicious designer from doing DB updates in the templates since they have
> the RS objects? I could mimic the DBI solution of returning arrayrefs of
> hashrefs, but that doesn't allow for the chaining of methods to get relat=
ed
> resultsets, Nor would it give me access to pagination info.
>
This has come up a few times on the Catalyst list. You might check the
archives there.
One option, which is what the java people at work promote, is to copy all
the data that the view needs to a separate structure and pass that to the
view instead of the objects.
Depends on your work environment. Some people argue that the view should
only get access to the data it needs, and others argue that the controller
should not be concerned with knowing the detailed specifics of what the view
is rendering. I'm more on the side of think controllers that fetch objects
and then it's up to the view to decide. Plus, then changes to the view
don't require changes to the controllers.
I once added a flag to the schema and then overrode insert, update, and
delete to check for the flag. The flag would get set around the call to the
view and thus prevent most changes to the db from the view. Reality was
that if someone wanted they could still get at a dbh, of course.
I would think you could do the same by hacking on the connection object, but
never looked into that.
-- =
Bill Moseley
moseley at hank.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/dbix-class/attachments/20100824/89d=
9c395/attachment.htm
More information about the DBIx-Class
mailing list