1Catalyst::ActionRole::AUCsLe(r3)Contributed Perl DocumenCtaattailoynst::ActionRole::ACL(3)
2
3
4
6 Catalyst::ActionRole::ACL - User role-based authorization action class
7
9 package MyApp::Controller::Foo;
10 use Moose;
11 use namespace::autoclean;
12
13 BEGIN { extends 'Catalyst::Controller' }
14
15 sub foo
16 :Local
17 :Does(ACL)
18 :RequiresRole(admin)
19 :ACLDetachTo(denied)
20 {
21 my ($self, $c) = @_;
22 ...
23 }
24
25 sub denied :Private {
26 my ($self, $c) = @_;
27
28 $c->res->status('403');
29 $c->res->body('Denied!');
30 }
31
33 Provides a reusable action role for user role-based authorization.
34 ACLs are applied via the assignment of attributes to application action
35 subroutines.
36
38 Failure to include the following required attributes will result in an
39 exception when the ACL::Role action's constructor is called.
40
41 ACLDetachTo
42 The name of an action to which the request should be detached if it is
43 determined that ACLs are not satisfied for this user and the resource
44 he is attempting to access.
45
46 RequiresRole and AllowedRole
47 The action must include at least one of these attributes, otherwise the
48 Role::ACL constructor will throw an exception.
49
51 One or more roles may be associated with an action.
52
53 User roles are fetched via the invocation of the context "user"
54 object's "roles" method.
55
56 Roles specified with the RequiresRole attribute are checked before
57 roles specified with the AllowedRole attribute.
58
59 The mandatory ACLDetachTo attribute specifies the name of the action to
60 which execution will detach on access violation.
61
62 ACLs may be applied to chained actions so that different roles are
63 required or allowed for each link in the chain (or no roles at all).
64
65 ACLDetachTo allows us to short-circuit traversal of an action chain as
66 soon as access is denied to one of the actions in the chain by its ACL.
67
68 Examples
69 # this is an invalid action
70 sub broken
71 :Local
72 :Does(ACL)
73 {
74 my ($self, $c) = @_;
75 ...
76 }
77
78 This action will cause an exception because it's missing the ACLDetachTo attribute
79 and has neither a RequiresRole nor an AllowedRole attribute. A Role::ACL action
80 must include at least one RequiresRole or AllowedRole attribute.
81
82 sub foo
83 :Local
84 :Does(ACL)
85 :RequiresRole(admin)
86 :ACLDetachTo(denied)
87 {
88 my ($self, $c) = @_;
89 ...
90 }
91
92 This action may only be executed by users with the 'admin' role.
93
94 sub bar :Local
95 :Does(ACL)
96 :RequiresRole(admin)
97 :AllowedRole(editor)
98 :AllowedRole(writer)
99 :ACLDetachTo(denied)
100 {
101 my ($self, $c) = @_;
102 ...
103 }
104
105 This action requires that the user has the 'admin' role and either the
106 'editor' or 'writer' role (or both).
107
108 sub easy :Local
109 :Does(ACL)
110 :AllowedRole(admin)
111 :AllowedRole(user)
112 :ACLDetachTo(denied)
113 {
114 my ($self, $c) = @_;
115 ...
116 }
117
118 Any user with either the 'admin' or 'user' role may execute this
119 action.
120
122 BUILD( $args )
123 Throws an exception if parameters are missing or invalid.
124
125 "execute( $controller, $c )"
126 Overrides &Catalyst::Action::execute.
127
128 In order for delegation to occur, the context 'user' object must exist
129 (authenticated user) and the "can_visit" method must return a true
130 value.
131
132 See Catalyst::Action
133
134 can_visit( $c )
135 Return true if the authenticated user can visit this action.
136
137 This method is useful for determining in advance if a user can execute
138 a given action.
139
141 David P.C. Wollmann <converter42@gmail.com>
142
144 Converted from an action class to an action role by Tomas Doran (t0m)
145
147 This is new code. Find the bugs and report them, please.
148
150 Copyright 2009 by David P.C. Wollmann
151
152 This program is free software; you can redistribute it and/or modify it
153 under the same terms as Perl itself.
154
155
156
157perl v5.38.0 2023-07-20 Catalyst::ActionRole::ACL(3)