Question: when a user logs in to our Catalyst app, he/she should only see the items he/she is allowed to see. But the only way we can figure how to do this is to pass $c->user either to the ResultSet methods or to the FormHandler methods, making the app more and more interdependent... Is there a better paradigm in the context of a Catalyst app?
Right now we're working this via DBIC ResultSet like so: package Incident::Schema::DB::ResultSet::Incident; use base 'DBIx::Class::ResultSet'; sub *security* { my $rs = shift; my $user = shift; $user = $user->obj if ( $user->can('obj') ); if ( $user->is_admin ) { return $rs; # everything is visible to admins } my %visible_teams = map { $_ => 1 } $user->corp_team_ids; # method from Incident::User schema $rs = $rs->search( { 'me.team' => { -in => [ keys %visible_teams ] } }, { order_by => ['created'] } ); return $rs; } Then... package Incident::Web::Controller::Ticket; BEGIN { extends 'Catalyst::Controller'; } sub base : Chained('/auth') PathPart('ticket') CaptureArgs(0) { my ( $self, $c ) = @_; my $rs = $c->model('Incident::Ticket')->security( *$c->user* ); $c->stash( incident_rs => $rs ); } Is this Kosher? In this context it's a DBIC resultset depending on another DBIC object, so it may not be as big an issue as, say, when we have HTML::FormHandler popup menus that should only show the user options based on the user's role and/or organization. Is there a canonical way to approach this both in ResultSets and in FormHandler forms? -- "The very nucleus of Character: to do what you know you should do, when you don't want to do it." Stephen Covey
_______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/