Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?

2009-04-25 Thread Nickolay Platonov 
Oh, I didn't knew, I can use custom attributes, cool..

On Mon, Apr 20, 2009 at 5:13 PM, Matt S Trout dbix-cl...@trout.me.ukwrote:

 On Sun, Apr 19, 2009 at 05:53:42PM +0400, Nickolay Platonov wrote:
  and I'm using this to implicitly specify which actions in controllers
  require authorization:
 
  #==
  #Controller
 
  sub update :Local :ActionClass('+Travel::Action::AuthorizationRequired')
 {
  my ( $self, $c ) = @_;
 
  my $token = $c-req-params-{'token'};
  ..
  }
 
  #==
  #AuthorizationRequired Action
 
  sub execute {
  my $self = shift;
  my ( $controller, $c ) = @_;
 
  if ( !$c-user_exists() ) {
 
  $c-stash-{template} = auth_required.tt2;
 
  $c-detach('View::TT');
  }
 
  $self-NEXT::execute( @_ );
  };

 That's a lot of complexity compared to:

 sub update :Local :AuthorizationRequired {
  ...
 }

 sub auto :Private { # in Root.pm (or use a root chain part to do the same)
  my ($self, $c) = @_;
  if ($c-action-attributes-{AuthorizationRequired}  $c-user_exists) {
$c-forward('auth_required');
return 0;
  }
 }

 sub auth_required :Private {
  my ($self, $c) = @_;
  $c-stash(template = 'auth_required.tt2');
 }

 --
   Matt S Trout   Need help with your Catalyst or DBIx::Class
 project?
   Technical Director
 http://www.shadowcat.co.uk/catalyst/
  Shadowcat Systems Ltd.  Want a managed development or deployment platform?
 http://chainsawblues.vox.com/
 http://www.shadowcat.co.uk/servers/

 ___
 List: Catalyst@lists.scsys.co.uk
 Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
 Searchable archive:
 http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
 Dev site: http://dev.catalyst.perl.org/

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?

2009-04-19 Thread Matt S Trout 
On Sun, Apr 19, 2009 at 10:06:51AM +1000, kakim...@tpg.com.au wrote:
 
 hi, all
 
what's the best way to exclude static requests from needing the user
 to log in?
 Some parts of my site are open to general public. For example, the
 'contact us', 'services portfolio' and so forth pages.
 
   At the moment, I have put in codes in my MyApp::Controller::Root-auto
 and it seems to want every request to be logged on.

Two options:

(1) (preferred) use Chained and have two root chain points, one that requires
login and one that doesn't

(2) sub static_serving_thing :NoLogin and check for
$c-action-attributes-{NoLogin} in your root auto

I'd suggest avoiding the ACL plugin; the implementation's a complete hack
and Chained effectively obsoletes it anyway.

-- 
  Matt S Trout   Need help with your Catalyst or DBIx::Class project?
   Technical Directorhttp://www.shadowcat.co.uk/catalyst/
 Shadowcat Systems Ltd.  Want a managed development or deployment platform?
http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?

2009-04-19 Thread Nickolay Platonov 
and I'm using this to implicitly specify which actions in controllers
require authorization:

#==
#Controller

sub update :Local :ActionClass('+Travel::Action::AuthorizationRequired') {
my ( $self, $c ) = @_;

my $token = $c-req-params-{'token'};
..
}

#==
#AuthorizationRequired Action

sub execute {
my $self = shift;
my ( $controller, $c ) = @_;

if ( !$c-user_exists() ) {

$c-stash-{template} = auth_required.tt2;

$c-detach('View::TT');
}

$self-NEXT::execute( @_ );
};




On Sun, Apr 19, 2009 at 2:18 PM, Matt S Trout dbix-cl...@trout.me.ukwrote:

 On Sun, Apr 19, 2009 at 10:06:51AM +1000, kakim...@tpg.com.au wrote:
 
  hi, all
 
 what's the best way to exclude static requests from needing the user
  to log in?
  Some parts of my site are open to general public. For example, the
  'contact us', 'services portfolio' and so forth pages.
 
At the moment, I have put in codes in my MyApp::Controller::Root-auto
  and it seems to want every request to be logged on.

 Two options:

 (1) (preferred) use Chained and have two root chain points, one that
 requires
 login and one that doesn't

 (2) sub static_serving_thing :NoLogin and check for
 $c-action-attributes-{NoLogin} in your root auto

 I'd suggest avoiding the ACL plugin; the implementation's a complete hack
 and Chained effectively obsoletes it anyway.

 --
  Matt S Trout   Need help with your Catalyst or DBIx::Class
 project?
   Technical Director
 http://www.shadowcat.co.uk/catalyst/
  Shadowcat Systems Ltd.  Want a managed development or deployment platform?
 http://chainsawblues.vox.com/
 http://www.shadowcat.co.uk/servers/

 ___
 List: Catalyst@lists.scsys.co.uk
 Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
 Searchable archive:
 http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
 Dev site: http://dev.catalyst.perl.org/

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?

2009-04-18 Thread J. Shirley 
On Sun, Apr 19, 2009 at 9:06 AM, kakim...@tpg.com.au wrote:


 hi, all

   what's the best way to exclude static requests from needing the user
 to log in?
 Some parts of my site are open to general public. For example, the
 'contact us', 'services portfolio' and so forth pages.

  At the moment, I have put in codes in my MyApp::Controller::Root-auto
 and it seems to want every request to be logged on.

  Hence, identifying which path requests are for my static pages, I have
 put in a filter in the  MyApp::Controller::Root-auto method to return a
 1 and not go further.


  Any better way around this? Another way is to have specific methods in
 controllers themselves (any CRUD method)  checking if the user was
 logged on each time they request a controller action that requires
 authentication.


 Anyway, here's the source code. Hope it makes sense and thanks, everyone!


 -- extract - MyApp::Controller::Root-auto method
 (start) --

 sub auto : Private {
my ($self, $c) = @_;

# filter out the static requsts
if ( $c-request-path() =~

 m{^(sign_up|subscription_plans|services_portfolio|company_profile|contact_us)$}smx
 )
{
return 1;
}
elsif ($c-controller eq $c-controller('Login') or
   $c-controller eq $c-controller('Logout')) {
return 1;
}
else{
unless ($c-user_exists())
{
$c-log-debug( Root.pm - auto  - USER's not logged in.
 Forcing login and setting 'requested_page' = . $c-req-path() );
myApp::Controller::Shared-store_in_session ($c,
{ 'requested_page' = $c-req-path(), }
);
$c-response-redirect($c-uri_for('/login'));

return 0;
}


  return 1;
}

 -- extract - MyApp::Controller::Root-auto method (end)
 --




I can think of several ways, the best being to use the ACL plugin, since
this is what it is for.  Drop the auto action determining what is necessary
and catch the auth errors in /end and handle accordingly.

Or, you could use Chained and have a root chain that requires authentication
(or, conversely, one that doesn't) and link that way.  This would be the
second best, in my opinion, but seeing that you aren't building your
application with Chained you probably aren't going to switch.

The way with your current code that I would do it is to define a
configuration key in your controller, like __PACKAGE__-config({
require_login = 0 });

Then you can modify your Root::auto method, and add in something like this:
if ( defined $c-controller-{require_login} and
$c-controller-{require_login} == 0 ) {
return 1;
}

This, by default, would assume the user is required to login but then would
look at the controllers for the individual requirements.

Still a bit dirty, but not that intrusive.

-J
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?

2009-04-18 Thread John Romkey 

On Apr 18, 2009, at 8:06 PM, kakim...@tpg.com.au wrote:

hi, all

  what's the best way to exclude static requests from needing the user
to log in?


The best way to exclude static requests from needing the user to log  
in is to not run them through Catalyst at all. Configure your web  
server so that static files are served directly by the server. This  
will greatly improve performance as well as simplify your Catalyst code.


Unless that's not what you mean by static.

If you by static you still mean some dynamic content, I would strongly  
avoid putting all the logic for access control in Root's auto method.  
Root's auto method then knows too much about the implementation  
details of each controller. Instead put the access control logic where  
it belongs - with the stuff it's controlling access to.

- john romkey
http://www.romkey.com/


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] What's the best way to exclude static requests from needing user to log in?

2009-04-18 Thread kakimoto 
hi,John,

   Good arvo. Thanks for the comments. My replies are as per below:


Quoting John Romkey rom...@apocalypse.org:

 On Apr 18, 2009, at 8:06 PM, kakim...@tpg.com.au wrote:
  hi, all
 
what's the best way to exclude static requests from needing the
 user
  to log in?
 
 The best way to exclude static requests from needing the user to log 
 
 in is to not run them through Catalyst at all. Configure your web  
 server so that static files are served directly by the server. This 
 
 will greatly improve performance as well as simplify your Catalyst
 code.


K. akimoto: You have a very good point and I think I will consider this.


 
 Unless that's not what you mean by static.
 
 If you by static you still mean some dynamic content, I would
 strongly  
 avoid putting all the logic for access control in Root's auto method.
  
 Root's auto method then knows too much about the implementation  
 details of each controller. Instead put the access control logic
 where  
 it belongs - with the stuff it's controlling access to.
   - john romkey
   http://www.romkey.com/
 
 




K. akimoto: this is interesting.
All requests would have to go through Root-auto before any other
actions in controllers

 Hence, whilst the Root-auto method does hold implementation
details of all controllers in the application, it certainly makes future
maintaince of the application ( in terms of controlling all controller
access ) easier because the configuration is found in one spot rather
than all across the many controllers.

Is doing so a bad practice? I would really like to hear some good
discussions here..


Thank you again, John :)


K. akimoto

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/