Tomas Doran skrev:
Gunnar Strand wrote:
The table would then be consulted whenever a resource is accessed,
and the lookup would be put in a central place, if possible. I've
implemented a :Restricted action which handles authentication, and
that is where I would try to add the authorization as well. One of
the tricky things would be to have a generic way to create the
resource identifier from request input.
I think that for the complexity of what you're doing with auth, then
the authorization should be in the model layer.
You should have methods on the model layer which take some form of
'user', and restrict what can be retrieved by that user. This is
domain logic, so you need to build it into the domain.
Thanks, Tom. You are of course correct. Moving authorization to the data
model will make it harder to show only authorized functions in the
presentation layer, though. I'll have to think about this, but it seems
that it is a fairly early design decision if the authorization should be
in the control- or model part. And perhaps using ACL or groups will suffice.
KR,
Gunnar
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
