Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?
Oh, I didn't knew, I can use custom attributes, cool.. On Mon, Apr 20, 2009 at 5:13 PM, Matt S Trout dbix-cl...@trout.me.ukwrote: On Sun, Apr 19, 2009 at 05:53:42PM +0400, Nickolay Platonov wrote: and I'm using this to implicitly specify which actions in controllers require authorization: #== #Controller sub update :Local :ActionClass('+Travel::Action::AuthorizationRequired') { my ( $self, $c ) = @_; my $token = $c-req-params-{'token'}; .. } #== #AuthorizationRequired Action sub execute { my $self = shift; my ( $controller, $c ) = @_; if ( !$c-user_exists() ) { $c-stash-{template} = auth_required.tt2; $c-detach('View::TT'); } $self-NEXT::execute( @_ ); }; That's a lot of complexity compared to: sub update :Local :AuthorizationRequired { ... } sub auto :Private { # in Root.pm (or use a root chain part to do the same) my ($self, $c) = @_; if ($c-action-attributes-{AuthorizationRequired} $c-user_exists) { $c-forward('auth_required'); return 0; } } sub auth_required :Private { my ($self, $c) = @_; $c-stash(template = 'auth_required.tt2'); } -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Director http://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?
On Sun, Apr 19, 2009 at 10:06:51AM +1000, kakim...@tpg.com.au wrote: hi, all what's the best way to exclude static requests from needing the user to log in? Some parts of my site are open to general public. For example, the 'contact us', 'services portfolio' and so forth pages. At the moment, I have put in codes in my MyApp::Controller::Root-auto and it seems to want every request to be logged on. Two options: (1) (preferred) use Chained and have two root chain points, one that requires login and one that doesn't (2) sub static_serving_thing :NoLogin and check for $c-action-attributes-{NoLogin} in your root auto I'd suggest avoiding the ACL plugin; the implementation's a complete hack and Chained effectively obsoletes it anyway. -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Directorhttp://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?
and I'm using this to implicitly specify which actions in controllers require authorization: #== #Controller sub update :Local :ActionClass('+Travel::Action::AuthorizationRequired') { my ( $self, $c ) = @_; my $token = $c-req-params-{'token'}; .. } #== #AuthorizationRequired Action sub execute { my $self = shift; my ( $controller, $c ) = @_; if ( !$c-user_exists() ) { $c-stash-{template} = auth_required.tt2; $c-detach('View::TT'); } $self-NEXT::execute( @_ ); }; On Sun, Apr 19, 2009 at 2:18 PM, Matt S Trout dbix-cl...@trout.me.ukwrote: On Sun, Apr 19, 2009 at 10:06:51AM +1000, kakim...@tpg.com.au wrote: hi, all what's the best way to exclude static requests from needing the user to log in? Some parts of my site are open to general public. For example, the 'contact us', 'services portfolio' and so forth pages. At the moment, I have put in codes in my MyApp::Controller::Root-auto and it seems to want every request to be logged on. Two options: (1) (preferred) use Chained and have two root chain points, one that requires login and one that doesn't (2) sub static_serving_thing :NoLogin and check for $c-action-attributes-{NoLogin} in your root auto I'd suggest avoiding the ACL plugin; the implementation's a complete hack and Chained effectively obsoletes it anyway. -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Director http://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?
On Sun, Apr 19, 2009 at 9:06 AM, kakim...@tpg.com.au wrote: hi, all what's the best way to exclude static requests from needing the user to log in? Some parts of my site are open to general public. For example, the 'contact us', 'services portfolio' and so forth pages. At the moment, I have put in codes in my MyApp::Controller::Root-auto and it seems to want every request to be logged on. Hence, identifying which path requests are for my static pages, I have put in a filter in the MyApp::Controller::Root-auto method to return a 1 and not go further. Any better way around this? Another way is to have specific methods in controllers themselves (any CRUD method) checking if the user was logged on each time they request a controller action that requires authentication. Anyway, here's the source code. Hope it makes sense and thanks, everyone! -- extract - MyApp::Controller::Root-auto method (start) -- sub auto : Private { my ($self, $c) = @_; # filter out the static requsts if ( $c-request-path() =~ m{^(sign_up|subscription_plans|services_portfolio|company_profile|contact_us)$}smx ) { return 1; } elsif ($c-controller eq $c-controller('Login') or $c-controller eq $c-controller('Logout')) { return 1; } else{ unless ($c-user_exists()) { $c-log-debug( Root.pm - auto - USER's not logged in. Forcing login and setting 'requested_page' = . $c-req-path() ); myApp::Controller::Shared-store_in_session ($c, { 'requested_page' = $c-req-path(), } ); $c-response-redirect($c-uri_for('/login')); return 0; } return 1; } -- extract - MyApp::Controller::Root-auto method (end) -- I can think of several ways, the best being to use the ACL plugin, since this is what it is for. Drop the auto action determining what is necessary and catch the auth errors in /end and handle accordingly. Or, you could use Chained and have a root chain that requires authentication (or, conversely, one that doesn't) and link that way. This would be the second best, in my opinion, but seeing that you aren't building your application with Chained you probably aren't going to switch. The way with your current code that I would do it is to define a configuration key in your controller, like __PACKAGE__-config({ require_login = 0 }); Then you can modify your Root::auto method, and add in something like this: if ( defined $c-controller-{require_login} and $c-controller-{require_login} == 0 ) { return 1; } This, by default, would assume the user is required to login but then would look at the controllers for the individual requirements. Still a bit dirty, but not that intrusive. -J ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?
On Apr 18, 2009, at 8:06 PM, kakim...@tpg.com.au wrote: hi, all what's the best way to exclude static requests from needing the user to log in? The best way to exclude static requests from needing the user to log in is to not run them through Catalyst at all. Configure your web server so that static files are served directly by the server. This will greatly improve performance as well as simplify your Catalyst code. Unless that's not what you mean by static. If you by static you still mean some dynamic content, I would strongly avoid putting all the logic for access control in Root's auto method. Root's auto method then knows too much about the implementation details of each controller. Instead put the access control logic where it belongs - with the stuff it's controlling access to. - john romkey http://www.romkey.com/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?
hi,John, Good arvo. Thanks for the comments. My replies are as per below: Quoting John Romkey rom...@apocalypse.org: On Apr 18, 2009, at 8:06 PM, kakim...@tpg.com.au wrote: hi, all what's the best way to exclude static requests from needing the user to log in? The best way to exclude static requests from needing the user to log in is to not run them through Catalyst at all. Configure your web server so that static files are served directly by the server. This will greatly improve performance as well as simplify your Catalyst code. K. akimoto: You have a very good point and I think I will consider this. Unless that's not what you mean by static. If you by static you still mean some dynamic content, I would strongly avoid putting all the logic for access control in Root's auto method. Root's auto method then knows too much about the implementation details of each controller. Instead put the access control logic where it belongs - with the stuff it's controlling access to. - john romkey http://www.romkey.com/ K. akimoto: this is interesting. All requests would have to go through Root-auto before any other actions in controllers Hence, whilst the Root-auto method does hold implementation details of all controllers in the application, it certainly makes future maintaince of the application ( in terms of controlling all controller access ) easier because the configuration is found in one spot rather than all across the many controllers. Is doing so a bad practice? I would really like to hear some good discussions here.. Thank you again, John :) K. akimoto ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/