I'm looking for your suggestions on enforcing access policy within DBIC: In my Music database I have a hierarchy of objects like this:
notes -> tracks -> cds -> artists -> label -> user_access -> users The user_access table links users with a label. When I fetch an object from the database I join to the users table to make sure the user has access to the label. If no row in user_access then the user has no access at all. Now, the user_access table also has a read_only flag. My plan here is when I join to user_access to add a column to every object called "is_readonly" so that code can look at any row object and determine if it's read-only or not. But, I also want to enforce the read-only state in the model. And this is where I need some ideas. One idea would be to alter the schema so there's no storage associated with a read-only object (so calling ->update would die). I'm not sure how to implement that. Another idea is to override update() and delete() and look for the is_readonly flag and abort the "is_readonly" flag exists on the object. Both of those don't work with create, though. So, I'm wondering about adding a call before create() that calls can_create() which would be a class method that would know how to test a given create. For example, trying to insert a new note, the "Note" class would test that the track id passed to create() can be joined to the user via the user_access table and that the user_access.read_only flag is false. (Yes, the "current_user" is available to DBIC as it's stored in the schema object.) Other suggestions? Thanks, -- Bill Moseley [email protected]
_______________________________________________ List: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/dbix-class IRC: irc.perl.org#dbix-class SVN: http://dev.catalyst.perl.org/repos/bast/DBIx-Class/ Searchable Archive: http://www.grokbase.com/group/[email protected]
