[Catalyst] Restricting access to the model

[Andreas Marienborg]

If the Order has a user field, why not just relationships?

package My::Model::User;

__PACKAGE__->has_many(orders and so on);

then you always do $user->orders to get a users orders for instance.

If you need it for more complex things, I would say it belongs in the  
model.


andreas

On 3. jul. 2006, at 12.54, Will Hawes wrote:

> I need to restrict access to certain model classes based on which user
> is logged in to my app. For example, users should not be able to view
> orders belonging to other users. Possibly due to thinking about it too
> much, I can't decide whether it makes sense to put this  
> functionality in
> the Controller or Model layer of the app. My initial thought was to  
> add
> subs to model classes something like:
>
> package My::Model::Order;
>
> sub can_view {
>    my ( $self, $user ) = @_;
>    if( $user->id ne $self->user->id ) {
>      return 0;
>    }
>    return 1;
> }
>
> The thing I don't particularly like about this is that if I want to  
> use
> the same functionality in another app sharing this model (fairly  
> likely)
> then they will have to agree about the specific rules for who can  
> access
> which model classes, which may not always be desirable.
>
> Instead I thought about using a dedicated controller class to add the
> aforementioned subs to model classes instead, i.e. only for that
> controller's application. This seems to make sense but I'm not sure if
> I've overlooked any problems it may introduce.
>
> I imagine similar functionality must be a reasonably common  
> requirement,
> so my question is, how have others implemented it?
>
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/ 
> catalyst at lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/