Re: [Catalyst] Authorization Failure

[Matt S Trout]

On Fri, May 08, 2009 at 04:08:29PM +0400, Oleg Pronin wrote:
> Catalyst and controllers are the same. Catalyst imho is _not only web_
> framework.

You can beat a nail in with a screwdriver too.

More seriously, I'd really like to split out the bits of Catalyst that are
"application framework" rather than web so that those parts can be shared
and you basically subclass it.

But that's a fucktonne of code I don't have time to write just yet. If anybody
wants to experiment with this idea, I'd be more than happy to help bikeshed
out the design.

-- 
Matt S Trout Catalyst and DBIx::Class consultancy with a clue
 Technical Director  and a commit bit: http://shadowcat.co.uk/catalyst/
 Shadowcat Systems Limited
  mst (@) shadowcat.co.ukhttp://shadowcat.co.uk/blog/matt-s-trout/

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Tomas Doran]

Tomas Doran wrote:

>> I'd recommend making a TestApp, pulling the relevant bits of
>> controller code out (the bodies can be mostly blank, you only care
>> about the paths), setting up trivial auth (no DB or anything needed,
>> just use Auth::Store::Minimal), and see if you can replicate the issue
>> outside of your main application..

Ascii King wrote:
> OK.  I'll pull out some clear code examples.
> Thanks
get it
Great!

If you get to a TestApp, then throwing it on github is probably easiest 
so that people can fork it / play with it trvially.


However I don't think anyone will object if you want to reduce it to 
test cases for the plugin in question ;)


Cheers
t0m

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Ascii King]

OK.  I'll pull out some clear code examples.
Thanks

Tomas Doran wrote:

Ascii King wrote:
the authorization component of my application no longer works 
properly. Did something change with Catalyst::Plugin::Authorization? 
I searched the lists, but I didn't see anything.




The tests still all pass, and they do test this sort of thing.

When testing the above statement, admin and office are supposed to be 
allowed access to 'list_account'. However, admin can access it, but 
office and remote cannot. If I change it to 'allow_access_if' then 
everyone can get access.


I can't really make a call about if it's working or not without 
knowing a lot more about your application structure, and your 
currently logged in user / roles etc.


I'd recommend making a TestApp, pulling the relevant bits of 
controller code out (the bodies can be mostly blank, you only care 
about the paths), setting up trivial auth (no DB or anything needed, 
just use Auth::Store::Minimal), and see if you can replicate the issue 
outside of your main application..


Even if you get the same issues, you now have something small and easy 
to understand which you can show to other people, without them having 
to grok your entire app..


Cheers
t0m

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: 
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/

Dev site: http://dev.catalyst.perl.org/



___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Tomas Doran]

Ascii King wrote:
the authorization component of my application no longer works properly. 
Did something change with Catalyst::Plugin::Authorization? I searched 
the lists, but I didn't see anything.




The tests still all pass, and they do test this sort of thing.

When testing the above statement, admin and office are supposed to be 
allowed access to 'list_account'. However, admin can access it, but 
office and remote cannot. If I change it to 'allow_access_if' then 
everyone can get access.


I can't really make a call about if it's working or not without knowing 
a lot more about your application structure, and your currently logged 
in user / roles etc.


I'd recommend making a TestApp, pulling the relevant bits of controller 
code out (the bodies can be mostly blank, you only care about the 
paths), setting up trivial auth (no DB or anything needed, just use 
Auth::Store::Minimal), and see if you can replicate the issue outside of 
your main application..


Even if you get the same issues, you now have something small and easy 
to understand which you can show to other people, without them having to 
grok your entire app..


Cheers
t0m

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Tomas Doran]

Oleg Pronin wrote:

But in TCP stream we send for example "/chess/action/make_move {JSON_DATA}"
I do not see any differences between HTTP requests and request to the 
daemon. Just protocols are differ.


If you're doing something like this, then the correct solution _is_ to 
be subclassing Catalyst::Engine to provide your daemon / non-HTTP protocol.


I'm currently helping develop a Catalyst engine to subscribe to Apache 
ActiveMQ queues - same approach, even _less_ web like in what goes over 
the wire, but it still fits a request/response model well enough to shoe 
horn things in..


That is, however, totally orthogonal to having your domain logic well 
factored.


Cheers
t0m

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Tomas Doran]

Oleg Pronin wrote:

How do i should in this case read my config in script context?


use Config::General manually..

MyApp 
initializes everything - memcached, dbic, uuid, json, etc.


Erm, yes, your config is gonna have memcached and dbic connection info 
in it..


I wasn't aware that generating UUIDs or JSON had enough state to want to 
initialize, but I may be wrong. ;)


Given you have your business/domain logic in your controllers, this 
makes perfect sense, and yes - it _is_ going to be hard to initialize 
stuff externally.


This is exactly why you separate everything into a model!

By writing 'use MyApp' i get everything i need. Additionally, MyApp is 
complex system which consists of a lot of modules (by means of C3) and 
is not only a web framework.


Erm, I have no idea what you're talking about here? MyApp ISA Plugin1, 
Plugin2, Catalyst, method re-dispatch is through C3..


What plugins are you using which don't do anything web related, and why? 
(As they're probably a bad idea, and would be better as models)


I would be nagged if i do not load Catalyst 
at all, then i'll have to use every component from script directly 
writing a lot of code instead of nice and short 'use MyApp'.


use MyModel;

MyModel->new(Config::General->new('myapp.conf')->getall->{"MyApp::MyModel"));

That isn't a lot of code?

If your actual domain model needs DBIC and/or memcached, then it's 
fairly easy to set things up such that you either pass in the relevant 
config (and MyModel creates the objects for you), or you pass in 
pre-built instances in construction, which your model then uses. (And 
you then generate the Catalyst::Model::MyModel using 
Component::InstancePerContext or similar)


The former is probably preferable, as if you have a layer over DBIC 
anyway, then your client code shouldn't be touching DBIC - that's 
violating the law of demeter.


I'd say 
than Catalyst is not _Web_ framework, it is _everything framwork_.


No, sorry - you're doing it wrong.

Catalyst is meant to be thin glue between web (or at least 
request/response) stuff, and your business logic and state storage.


Classes should _always_ be standalone and validate their own state.

I'm guessing that your DBIC classes are fairly thin, and a lot of the 
domain logic is in your controllers. This results in no separation of 
concerns, and an anemic domain model


Not only does this tie you implicitly to the web and make testing your 
code harder than it needs to be, it also ensures that you're breaking 
the single responsibility principle, gives you a great headstart for 
violating the law of demeter.


In my 
own opinion it is better to make a little difference for scripts
(use MyApp { offline => 1 }) - which will not load web stuff and get 
start lighter.


I'm not concerned with / thinking about how much code you're actually 
loading - that's a purely secondary concern.


The issue is that you're being forced to jump through hoops to make 
everything look like it is a web request, and the fact that you need not 
one but two classes to achieve any state change - a controller to 
validate that the state change is ok, and then the model to actually 
store the state change - meaning that the data and code needed to 
operate on whilst ensuring the data stays valid lives in different 
places, not nice


but framework will stay with many features for such 
scripts - for example, automatic pid file with double execution prevent,


Catalyst doesn't do this for you?

wrapping script for errors detection on log files and many other, i.e. 
still framework-driven system,  not script-driven.


Erm, I'm not suggesting that you should be 'script driven', which I take 
to mean procedural ;)


All of my 'scripts' these days look like this:

package MyScript::Foo;
use Moose;
use MooseX::Types::Moose qw/Str/;
use namespace::autoclean;

with 'MooseX::Getopt';

has param1 => ( isa => Str, is => 'ro' );

sub run { # Do stuff here, usually a main loop, but delegating mostly to 
other methods}


__PACKAGE__->meta->make_immutable;
__PACKAGE__->new_with_options->run unless caller;

A 'script' does not mean you have to throw away good OO design..

Cheers
t0m

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Oleg Pronin]

P.S.
Tomas, you explain things from position of most web sites. But imagine for
example multiplayer gaming portal written in flash.
Flash sends request through HTTP as well as through TCP stream connection
(for gaming purposes).
TCP connections served by daemon (not by Catalyst::Engine::* of course).
But in TCP stream we send for example "/chess/action/make_move {JSON_DATA}"
I do not see any differences between HTTP requests and request to the
daemon. Just protocols are differ.
Catalyst and controllers are the same. Catalyst imho is _not only web_
framework.

2009/5/8 Tomas Doran 

> Oleg Pronin wrote:
>
>> Not really :-) While in request, browser header is ok, but the task is to
>> be able to authenticate in offline scripts as well - because the controllers
>> and etc read logged in user from $c->user.
>> Currently we use workaround - fake $c object + setup $c->request->header
>> for base authentication as it came from browser.
>>
>
> That's not _too much_ of a hack, given that you've got application logic in
> your controllers anyway.
>
> The recommended thing to do is to not have any application logic in your
> controllers (just have web parameter mangling related stuff). If your logic
> is all in the model, then your scripts can deal with authenticating without
> having to fake up a web request, or in fact load Catalyst at all, which is
> much nicer, and makes much more sense in a script context..
>
> Also, what do you mean by 'new Authentication',
>>Catalyst::Authentication::Credential::HTTP has _always_ worked like
>>this.
>>
>> I'm not sure but last time i used this feature (several months ago) it
>> worked fine
>>
>
> Hmm, well, if you still think I've broken something, I'd love to see a
> TestApp or test cases demonstrating what the problem is, as I'm still
> unclear.. (And if I did break it, I'd obviously like to fix it again)
>
>
> Cheers
> t0m
>
> ___
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Oleg Pronin]

2009/5/8 Tomas Doran 

> Oleg Pronin wrote:
>
>> Not really :-) While in request, browser header is ok, but the task is to
>> be able to authenticate in offline scripts as well - because the controllers
>> and etc read logged in user from $c->user.
>> Currently we use workaround - fake $c object + setup $c->request->header
>> for base authentication as it came from browser.
>>
>
> That's not _too much_ of a hack, given that you've got application logic in
> your controllers anyway.
>
> The recommended thing to do is to not have any application logic in your
> controllers (just have web parameter mangling related stuff). If your logic
> is all in the model, then your scripts can deal with authenticating without
> having to fake up a web request, or in fact load Catalyst at all, which is
> much nicer, and makes much more sense in a script context..
>

How do i should in this case read my config in script context ? MyApp
initializes everything - memcached, dbic, uuid, json, etc.
By writing 'use MyApp' i get everything i need. Additionally, MyApp is
complex system which consists of a lot of modules (by means of C3) and is
not only a web framework. I would be nagged if i do not load Catalyst at
all, then i'll have to use every component from script directly writing a
lot of code instead of nice and short 'use MyApp'. I'd say than Catalyst is
not _Web_ framework, it is _everything framwork_. In my own opinion it is
better to make a little difference for scripts
(use MyApp { offline => 1 }) - which will not load web stuff and get start
lighter, but framework will stay with many features for such scripts - for
example, automatic pid file with double execution prevent, wrapping script
for errors detection on log files and many other, i.e. still
framework-driven system,  not script-driven.


>
>
> Also, what do you mean by 'new Authentication',
>>Catalyst::Authentication::Credential::HTTP has _always_ worked like
>>this.
>>
>> I'm not sure but last time i used this feature (several months ago) it
>> worked fine
>>
>
> Hmm, well, if you still think I've broken something, I'd love to see a
> TestApp or test cases demonstrating what the problem is, as I'm still
> unclear.. (And if I did break it, I'd obviously like to fix it again)
>
>
> Cheers
> t0m
>
> ___
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Tomas Doran]

Oleg Pronin wrote:
Not really :-) While in request, browser header is ok, but the task is 
to be able to authenticate in offline scripts as well - because the 
controllers and etc read logged in user from $c->user.
Currently we use workaround - fake $c object + setup $c->request->header 
for base authentication as it came from browser.


That's not _too much_ of a hack, given that you've got application logic 
in your controllers anyway.


The recommended thing to do is to not have any application logic in your 
controllers (just have web parameter mangling related stuff). If your 
logic is all in the model, then your scripts can deal with 
authenticating without having to fake up a web request, or in fact load 
Catalyst at all, which is much nicer, and makes much more sense in a 
script context..



Also, what do you mean by 'new Authentication',
Catalyst::Authentication::Credential::HTTP has _always_ worked like
this.

I'm not sure but last time i used this feature (several months ago) it 
worked fine


Hmm, well, if you still think I've broken something, I'd love to see a 
TestApp or test cases demonstrating what the problem is, as I'm still 
unclear.. (And if I did break it, I'd obviously like to fix it again)


Cheers
t0m

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Oleg Pronin]

2009/5/8 Tomas Doran 

> Oleg Pronin wrote:
>
>> I've got problem with new Authentication too. It is said that one can pass
>> login & password to authenticate call. But it somewhy no longer
>> authenticates that way (in case of Credential::HTTP)
>>
>
> Credential::HTTP doesn't work like that.
>
> The credentials for HTTP auth come from the browser in headers, which is
> where it'll read them from. These are then mapped by your config into the
> appropriate field to find your user with, and the password checked.
>
> If you want to pass the username/password in manually yourself (e.g. from
> form submission), then you don't want Credential::HTTP.


Not really :-) While in request, browser header is ok, but the task is to be
able to authenticate in offline scripts as well - because the controllers
and etc read logged in user from $c->user.
Currently we use workaround - fake $c object + setup $c->request->header for
base authentication as it came from browser.


>
>
> Also, what do you mean by 'new Authentication',
> Catalyst::Authentication::Credential::HTTP has _always_ worked like this.

I'm not sure but last time i used this feature (several months ago) it
worked fine

>
>
> Cheers
> t0m
>
>
>
>
> ___
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Tomas Doran]

Oleg Pronin wrote:
I've got problem with new Authentication too. It is said that one can 
pass login & password to authenticate call. But it somewhy no longer 
authenticates that way (in case of Credential::HTTP)


Credential::HTTP doesn't work like that.

The credentials for HTTP auth come from the browser in headers, which is 
where it'll read them from. These are then mapped by your config into 
the appropriate field to find your user with, and the password checked.


If you want to pass the username/password in manually yourself (e.g. 
from form submission), then you don't want Credential::HTTP.


Also, what do you mean by 'new Authentication', 
Catalyst::Authentication::Credential::HTTP has _always_ worked like this.


Cheers
t0m



___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Authorization Failure

[Oleg Pronin]

I've got problem with new Authentication too. It is said that one can pass
login & password to authenticate call. But it somewhy no longer
authenticates that way (in case of Credential::HTTP)

2009/5/7 Ascii King 

> the authorization component of my application no longer works properly. Did
> something change with Catalyst::Plugin::Authorization? I searched the lists,
> but I didn't see anything.
>
> My authorization code came from the Catalyst tutorial and I'm pretty sure
> it used to work. However, I started doing some detailed checking lately and
> found that it behaves erratically.  If I only have one role listed in the
> array (between the square brackets), it seems to work.  More than one fails.
>
> using these:
>   Authentication
>   Authorization::Roles
>   Authorization::ACL
>
>
> Here's my code.
> # Authorization::ACL Rules
> __PACKAGE__->allow_access_if(
>   "/prior/list_prior",
>   [qw/admin office remote/],
> );
> __PACKAGE__->deny_access_if(
>   "/account/list_account",
>   [qw/admin office/],
> );
>
> When testing the above statement, admin and office are supposed to be
> allowed access to 'list_account'. However, admin can access it, but office
> and remote cannot. If I change it to 'allow_access_if' then everyone can get
> access.
>
>
> ___
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/