On 19/12/2012, at 3:09 AM, David Cantrell wrote:
> On 15/12/2012 19:20, David Precious wrote:
>
>> get '/foo' => requires_role ['Foo','Bar'] => sub { ... };
>>
>> (requires_roles could be added as an alias, so code could read better.)
>>
>> I imagine the common requirement will be to say "any of these roles",
>> not "all of these roles". I was considering whether requires_role
>> should be for "must have this role" or "must have all of these roles",
>> and e.g. a new requires_any_role keyword would be added to ensure a
>> user had all the specified roles; I'm not sure how valuable that would
>> be, though.
>
> You definitely need to be able to support any and all. Which is the default
> doesn't really matter IMO.
I'd go for the most restrictive option (all) being the default. This ensures
that someone who mis-guesses or misinterprets the default behaviour is less
likely to grant inappropriate access to their content. Accidental denial of
access can be un-denied, but disclosed information cannot be un-disclosed.
_______________________________________________
dancer-users mailing list
[email protected]
http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
