This is more of a philosophical question about how to handle authz with roles, but is perhaps OT for Catalyst, I suppose.
I am converting an older app that had a very messy authorization system. I have three different libraries, and users were assigned a numerical access level to each one; a "3" would be read-only access, "7" would be add or edit, etc. (This is sort of arbitrary; I didn't actually use each number.) For system-wide changes--user adding and editing, for example--the original or "main" library rights were looked at, so that a person with "9" access to this library could add users. I'm in the process of changing this over to a role-based system, with the usual Cat modules for this. However, I'm finding that there are various things for which it seems crazy to create roles, but which nonetheless need authz. So, for instance, I have my personal library, to which outside people can have read access. But these people probably shouldn't be able to see what I paid for each book. In the old system, I checked if the user had jts_access >= 7 in order to display this. In the new system, I don't want to create a role for "jts_price-paid_viewing" or whatever; on the other hand, merely checking the "jts_add" role isn't the actual right I'm looking for. Does this matter? There are various other things like that, in particular with user-handling routines (should anyone with the user_edit role be able to edit _any_ user, or should there be a way to ensure that the admin user can only be edited by...well, who? Should there be separate rights to add/edit roles themselves? etc.). So I guess the overall question is how granular this sort of thing needs to be, or whether I can just declare an "admin" role for anything really high-powered and leave it at that? That sort of thing. Thanks for any thoughts. Jesse Sheidlower _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
