On Wed, Sep 30, 2009 at 5:23 AM, Derek Wueppelmann <dwuep...@gmail.com>wrote:
> On Tue, 2009-09-29 at 14:39 +0200, Aristotle Pagaltzis wrote: > > * monkey <dwuep...@gmail.com> [2009-09-29 14:35]: > > > Is there another way to do the above without having to write > > > the auth handling at the top of every method used to display > > > pages? > > > > Chained dispatch. Do an auth check early in the chain, then the > > actions down the chain don’t need to do it. > > So I found a different way to do this. It's pretty close to my original > method I had mentioned, but instead of calling $self->auth_required I > changed it to: > > $c->action->class->auth_required() > > Which has the desired effect. Now all I need to do is if a controller > does not require authentication in order to be viewed I override the > auth_required method in that controller to return 0 instead of the > default 1. > Does that approach provide you with enough fine-grained access control? I suppose you can check the action name in auth_required(). There are a number of existing modules to consider, for example: Catalyst::Action::Role::ACL Catalyst::Plugin::Authorization::ACL I've also used an approach where I check for roles in each controller's auto method, and I've also used method attributes to indicate the access level required for each action (which has the benefit where I can require *every* dispatched action to have an access level specified or be blocked). I also do not detach to a login page, rather I always redirect. Not sure I remember the details of that choice, but one reason might have been I didn't want a URL for one resource to return a 200 yet not return the response for that URL and instead return a login form. -- Bill Moseley mose...@hank.org
_______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/