Re: [Catalyst] Paradigm question: how to use ResultSet level security based on $c->user?

Tue, 18 Oct 2011 03:02:11 -0700 

>>>>> "will" == will trillich <[email protected]> writes:

    will> Question: when a user logs in to our Catalyst app, he/she
    will> should only see the items he/she is allowed to see. But the
    will> only way we can figure how to do this is to pass $c->user
    will> either to the ResultSet methods or to the FormHandler methods,
    will> making the app more and more interdependent... Is there a
    will> better paradigm in the context of a Catalyst app?

That is perfectly fine as long as you define an API for user and stick
to it so you can replace it via duck typing afterwards.

    will> Right now we're working this via DBIC ResultSet like so:

    will> package Incident::Schema::DB::ResultSet::Incident;
    will> use base 'DBIx::Class::ResultSet';

    will> sub security {
    will>     my $rs      = shift;
    will>     my $user    = shift;

    will>     $user = $user->obj
    will>         if ( $user->can('obj') );
    will>     if ( $user->is_admin ) {
    will>         return $rs; # everything is visible to admins
    will>     }

    will>     my %visible_teams = map { $_ => 1 }
    will>         $user->corp_team_ids; # method from Incident::User schema
    will>     $rs = $rs->search(
    will>         { 'me.team' =>
    will>             { -in => [ keys %visible_teams ] }
    will>         },
    will>         { order_by => ['created'] }
    will>     );

    will>     return $rs;
    will> }

    will> Then...

    will> package Incident::Web::Controller::Ticket;
    will> BEGIN { extends 'Catalyst::Controller'; }

    will> sub base : Chained('/auth') PathPart('ticket') CaptureArgs(0) {
    will>     my ( $self, $c ) = @_;
    will>     my $rs = $c->model('Incident::Ticket')->security( $c->user );
    will>     $c->stash( incident_rs => $rs );
    will> }

    will> Is this Kosher? In this context it's a DBIC resultset
    will> depending on another DBIC object, so it may not be as big an
    will> issue as, say, when we have HTML::FormHandler popup menus that
    will> should only show the user options based on the user's role
    will> and/or organization.

    will> Is there a canonical way to approach this both in ResultSets
    will> and in FormHandler forms?

You might want to look at 
Catalyst::TraitFor::Model::DBIC::Schema::WithCurrentUser

-- 
  Eden Cardim
  Code Monkey                    http://www.shadowcat.co.uk/catalyst/
 Shadowcat Systems Ltd.  Want a managed development or deployment platform?
http://blog.edencardim.com/            http://www.shadowcat.co.uk/servers/
http://twitter.com/#!/edenc

_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/

Reply via email to