[Catalyst] Restricting access to the model
Will Hawes
info at whawes.co.uk
Mon Jul 3 12:54:21 CEST 2006
I need to restrict access to certain model classes based on which user
is logged in to my app. For example, users should not be able to view
orders belonging to other users. Possibly due to thinking about it too
much, I can't decide whether it makes sense to put this functionality in
the Controller or Model layer of the app. My initial thought was to add
subs to model classes something like:
package My::Model::Order;
sub can_view {
my ( $self, $user ) = @_;
if( $user->id ne $self->user->id ) {
return 0;
}
return 1;
}
The thing I don't particularly like about this is that if I want to use
the same functionality in another app sharing this model (fairly likely)
then they will have to agree about the specific rules for who can access
which model classes, which may not always be desirable.
Instead I thought about using a dedicated controller class to add the
aforementioned subs to model classes instead, i.e. only for that
controller's application. This seems to make sense but I'm not sure if
I've overlooked any problems it may introduce.
I imagine similar functionality must be a reasonably common requirement,
so my question is, how have others implemented it?
More information about the Catalyst
mailing list