-
Notifications
You must be signed in to change notification settings - Fork 6
/
README
149 lines (114 loc) · 3.93 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
NAME
Catalyst::ActionRole::ACL - User role-based authorization action class
SYNOPSIS
package MyApp::Controller::Foo;
use Moose;
use namespace::autoclean;
BEGIN { extends 'Catalyst::Controller' }
sub foo
:Local
:Does(ACL)
:RequiresRole(admin)
:ACLDetachTo(denied)
{
my ($self, $c) = @_;
...
}
sub denied :Private {
my ($self, $c) = @_;
$c->res->status('403');
$c->res->body('Denied!');
}
DESCRIPTION
Provides a reusable action role for user role-based authorization. ACLs
are applied via the assignment of attributes to application action
subroutines.
REQUIRED ATTRIBUTES
Failure to include the following required attributes will result in an
exception when the ACL::Role action's constructor is called.
ACLDetachTo
The name of an action to which the request should be detached if it is
determined that ACLs are not satisfied for this user and the resource he
is attempting to access.
RequiresRole and AllowedRole
The action must include at least one of these attributes, otherwise the
Role::ACL constructor will throw an exception.
Processing of ACLs
One or more roles may be associated with an action.
User roles are fetched via the invocation of the context "user" object's
"roles" method.
Roles specified with the RequiresRole attribute are checked before roles
specified with the AllowedRole attribute.
The mandatory ACLDetachTo attribute specifies the name of the action to
which execution will detach on access violation.
ACLs may be applied to chained actions so that different roles are
required or allowed for each link in the chain (or no roles at all).
ACLDetachTo allows us to short-circuit traversal of an action chain as
soon as access is denied to one of the actions in the chain by its ACL.
Examples
# this is an invalid action
sub broken
:Local
:Does(ACL)
{
my ($self, $c) = @_;
...
}
This action will cause an exception because it's missing the ACLDetachTo attribute
and has neither a RequiresRole nor an AllowedRole attribute. A Role::ACL action
must include at least one RequiresRole or AllowedRole attribute.
sub foo
:Local
:Does(ACL)
:RequiresRole(admin)
:ACLDetachTo(denied)
{
my ($self, $c) = @_;
...
}
This action may only be executed by users with the 'admin' role.
sub bar :Local
:Does(ACL)
:RequiresRole(admin)
:AllowedRole(editor)
:AllowedRole(writer)
:ACLDetachTo(denied)
{
my ($self, $c) = @_;
...
}
This action requires that the user has the 'admin' role and either the
'editor' or 'writer' role (or both).
sub easy :Local
:Does(ACL)
:AllowedRole(admin)
:AllowedRole(user)
:ACLDetachTo(denied)
{
my ($self, $c) = @_;
...
}
Any user with either the 'admin' or 'user' role may execute this action.
WRAPPED METHODS
"BUILD( $args )"
Throws an exception if parameters are missing or invalid.
"execute( $controller, $c )"
Overrides &Catalyst::Action::execute.
In order for delegation to occur, the context 'user' object must exist
(authenticated user) and the "can_visit" method must return a true
value.
See Catalyst::Action
"can_visit( $c )"
Return true if the authenticated user can visit this action.
This method is useful for determining in advance if a user can execute a
given action.
AUTHOR
David P.C. Wollmann <[email protected]>
CONTRIBUTORS
Converted from an action class to an action role by Tomas Doran (t0m)
BUGS
This is new code. Find the bugs and report them, please.
COPYRIGHT & LICENSE
Copyright 2009 by David P.C. Wollmann
This program is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.