On Wed, 2009-09-30 at 06:53 -0700, Bill Moseley wrote: > Does that approach provide you with enough fine-grained access > control? > I suppose you can check the action name in auth_required().
It actually does. Basically either the entire class requires auth or not, and if I need to occasionally require auth to specific methods that's easy enough to take care of on a case by case basis. > There are a number of existing modules to consider, for example: > > Catalyst::Action::Role::ACL > Catalyst::Plugin::Authorization::ACL In order to use these I would have to rewrite significant portions of the code. At this point it's not worth while doing. > I've also used an approach where I check for roles in each > controller's auto method, and I've also used method attributes to > indicate the access level required for each action (which has the > benefit where I can require *every* dispatched action to have an > access level specified or be blocked). > > I also do not detach to a login page, rather I always redirect. Not > sure I remember the details of that choice, but one reason might have > been I didn't want a URL for one resource to return a 200 yet not > return the response for that URL and instead return a login form. I'm actually doing forwards to my login page right now. So that when a user logs in they can still see the page they were originally trying to view. I capture the URL they were attempting to view in the login process. -- o) Derek Wueppelmann (o (D . [email protected] D). ((` http://www.monkeynet.ca ( ) ` _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
