NAME
Catalyst::Action::Role::ACL - User role-based authorization action class.
SYNOPSIS
sub foo :Local
:ActionClass(Role::ACL)
:RequiresRole(admin) {
my ($self, $c) = @_;
...
}
# elsewhere
sub end :ActionClass('RenderView') {
my ($self, $c) = @_;
if ($c->res->status eq '403') {
$c->detach('denied');
}
}
DESCRIPTION
Provides a Catalyst reusable action for user role-based authorization. ACLs are applied via the assignment of attributes to application action subroutines.
Processing of ACLs
One or more roles may be associated with an action.
Roles specified with the RequiresRole attribute are processed before roles specified with the AllowedRole attribute.
An action with an empty ACL (no role attributes assigned) is unreachable by any user regardless of the roles assigned to his account. This is not particularly useful, and at some point will be changed so that the absence of role attributes will cause a compile-time exception.
User roles are fetched via the invocation of the context user object's "roles" method.
ACLs may be applied to chained actions so that different roles are required or allowed for each link in the chain (or no roles at all).
Examples
sub foo :Local
:ActionClass(Role::ACL)
:RequiresRole(admin) {
my ($self, $c) = @_;
...
}
This action may only be executed by users with the 'admin' role.
sub bar :Local
:ActionClass(Role::ACL)
:RequiresRole(admin)
:AllowedRole(editor)
:AllowedRole(writer) {
my ($self, $c) = @_;
...
}
This action requires that the user has the 'admin' role and also either the 'editor' or 'writer' role (or both).
sub easy :Local
:ActionClass(Role::ACL)
:AllowedRole(admin)
:AllowedRole(user) {
my ($self, $c) = @_;
...
}
Any user with either the 'admin' or 'user' role may execute this action.
sub unreachable :Local
:ActionClass(Role::ACL) {
my ($self, $c) = @_;
...
}
This action is unreachable and will always result in a 403 Forbidden response. This is probably not very useful and should instead be caught at compile-time and cause an exception.
METHODS
execute
See "METHODS/action" in Catalyst::Action.
can_visit($c)
Return true if the authenticated user can visit this action.
This method is useful for determining in advance if a user can execute a given action.
AUTHOR
David P.C. Wollmann <converter42@gmail.com>
BUGS
This is new code. Find the bugs and report them, please.
COPYRIGHT & LICENSE
Copyright 2009 by David P.C. Wollmann
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.