FAQ
Hi,

Most of the authorization schemes appear to aim to allow authorization
based on "type", so that a certain group of users are allowed to CRUD a
specific type of resource, eg. Albums or Artists etc. If a user has
access to "albums/update" then the user can change any album. I have
looked at the two available plugins for authorization, ACL and Roles,
and both seem to support this scheme.

I would like to have authorization per individual resource. A comparable
example would be a member only being allowed to update her own member
information. If I would implement something like this, I think I'd add a
table to the database for handling authorization:

Role Resource

administrators members
administrators blogs
user1 members/update/1
user2 members/update/15
user1 blogs/update/3
user2 blogs/update/13

The table would then be consulted whenever a resource is accessed, and
the lookup would be put in a central place, if possible. I've
implemented a ":Restricted" action which handles authentication, and
that is where I would try to add the authorization as well. One of the
tricky things would be to have a generic way to create the resource
identifier from request input.

Does anyone know if this be implemented using ACL or Roles, and what are
the principles for doing so?

If not, what is your experience in solving this problem?

KR,
Gunnar

Search Discussions

  • Tomas Doran at Jul 9, 2009 at 12:50 pm

    Gunnar Strand wrote:
    The table would then be consulted whenever a resource is accessed, and
    the lookup would be put in a central place, if possible. I've
    implemented a ":Restricted" action which handles authentication, and
    that is where I would try to add the authorization as well. One of the
    tricky things would be to have a generic way to create the resource
    identifier from request input.
    I think that for the complexity of what you're doing with auth, then the
    authorization should be in the model layer.

    You should have methods on the model layer which take some form of
    'user', and restrict what can be retrieved by that user. This is domain
    logic, so you need to build it into the domain.
    Does anyone know if this be implemented using ACL or Roles, and what are
    the principles for doing so?

    If not, what is your experience in solving this problem?
    DBIx::Class::Schema::RestrictWithObject is probably the place to start
    looking.

    Cheers
    t0m
  • Gunnar Strand at Jul 9, 2009 at 6:12 pm

    Tomas Doran skrev:
    Gunnar Strand wrote:
    The table would then be consulted whenever a resource is accessed,
    and the lookup would be put in a central place, if possible. I've
    implemented a ":Restricted" action which handles authentication, and
    that is where I would try to add the authorization as well. One of
    the tricky things would be to have a generic way to create the
    resource identifier from request input.
    I think that for the complexity of what you're doing with auth, then
    the authorization should be in the model layer.

    You should have methods on the model layer which take some form of
    'user', and restrict what can be retrieved by that user. This is
    domain logic, so you need to build it into the domain.
    Thanks, Tom. You are of course correct. Moving authorization to the data
    model will make it harder to show only authorized functions in the
    presentation layer, though. I'll have to think about this, but it seems
    that it is a fairly early design decision if the authorization should be
    in the control- or model part. And perhaps using ACL or groups will suffice.

    KR,
    Gunnar

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedJul 9, '09 at 8:13a
activeJul 9, '09 at 6:12p
posts3
users2
websitecatalystframework.org
irc#catalyst

2 users in discussion

Gunnar Strand: 2 posts Tomas Doran: 1 post

People

Translate

site design / logo © 2022 Grokbase