Jason Gottshall wrote:
Tomas Doran wrote:
On 9 Dec 2008, at 04:24, bill hauck wrote:
So my question: is there an example application or best practice on
how to implement a check on all calls to see if the user should be
accessing a specific item? I guess this would apply to any type of
system: blog, auction, cms, etc. -- they all require checking if a
specific user can edit a specific item.
Assuming that you're using DBIx::Class, then the common way of doing
this would be to use ResultSet chaining to limit things.
What you do is add a 'limit_by_user' method (name is not important -
just pick one and stick to it for your entire app) on each ResultSet
class which you can pass $c->user, and have it return a filtered
result set..
You then arrange your controllers such that you will call this method
on all resultsets before actually searching them. The simplest
strategy is to just have code like:
$c->stash->{project} =
$c->model('DB::Project')->limit_by_user($c->user)->find_by_foo($foo);
whenever you want to do a search.
You might try using DBIx::Class::Schema::RestrictWithObject to do this
more centrally. Essentially you put all your "limit_by_user" filters
into one central package, then you just pass $c->user to the schema at
the beginning of the request. RestrictWithObject will intercept all
searches and tack on the appropriate filter for the requested resultset
for you.
Sorry, I should have given an example. Have a look at mst's great
catalyst talk; the RestrictWithObject stuff starts at slide 74:
http://www.shadowcat.co.uk/catalyst/-talks/oscon/crucible.xul
--
Jason Gottshall
[EMAIL PROTECTED]
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
