[Jifty-commit] r7050 - in jifty/trunk: .

Jifty commits jifty-commit at lists.jifty.org
Mon May 18 19:50:05 EDT 2009 

Author: c9s
Date: Mon May 18 19:50:04 2009
New Revision: 7050

Added:
   jifty/trunk/lib/Jifty/Manual/AccessControl_zhtw.pod
Modified:
   jifty/trunk/   (props changed)

Log:
 r2749 at Oulixeus:  c9s | 2009-05-16 14:11:06 +0800
  AccessControl zhtw 


Added: jifty/trunk/lib/Jifty/Manual/AccessControl_zhtw.pod
==============================================================================
--- (empty file)
+++ jifty/trunk/lib/Jifty/Manual/AccessControl_zhtw.pod	Mon May 18 19:50:04 2009
@@ -0,0 +1,205 @@
+=head1 NAME
+
+Jifty::Manual::AccessControl_zhtw - Using Jifty's default ACL system
+
+=head1 DESCRIPTION
+
+
+Out of the box Jifty-based applications have an ACL system.  The system 
+automatically validates ACLs on L<Jifty::Record> objects by calling the method
+C<current_user_can> before any create, read, update, or delete operation.
+In all cases, the arguments passed to the CRUD operation are passed as 
+extra arguments to C<current_user_can>.
+
+On C<create()>, we reject the operation if C<current_user_can('create')>
+returns FALSE.
+
+On C<_value()> or C<I<somefieldname>>, we reject the operation
+if C<current_user_can('read')> returns false.
+
+On C<_set()> or C<I<set_somefieldname>>, we reject the operation
+if C<current_user_can('update')> returns false.
+
+
+On C<delete()>, we reject the operation if C<current_user_can('delete')>
+returns false.
+
+Out of the box, C<current_user_can> returns 1. When you want to actually 
+check ACLs, you'll need to override C<current_user_can()> in your
+C<Jifty::Record> subclass.
+
+It's likely that at some point, you'll decide you want to ask other
+questions on certain types of operations.  Say, you only want to let
+administrators update the C<paid_account> field. In that case, you'd override
+C<check_update_rights()> to look for the C<admin> right rather than the 
+C<update> right, if the C<FIELD> is C<paid_account>.
+
+=head1 ENABLING ACCESS CONTROL USING THE USER PLUGIN
+
+To painlessly enable the AccessControl subsystem, a User plugin is available
+with an authentication plugin, the C<Authentication::Password> plugin may get 
+enabled. This is done in the F<etc/config.yml> configuration file.
+
+    Plugins:
+      - Authentication::Password: {}
+
+Then, create an C<App::Model::User> class that will be override with
+C<Jifty::Plugin::User::Mixin::Model::User> and an authentication plugin 
+C<Jifty::Plugin::Authentication::Password::Mixin::Model::User>
+, for example:
+
+    use strict;
+    use warnings;
+
+    package App::Model::User;
+
+    use Jifty::DBI::Schema;
+
+    use App::Record schema {
+    };
+
+    use Jifty::Plugin::User::Mixin::Model::User;
+    use Jifty::Plugin::Authentication::Password::Mixin::Model::User;
+
+    # Your model-specific methods go here.
+
+    1;
+
+Next, create the table in your database using the F<jifty> executable
+like C<./bin/jifty schema --setup>.
+
+=head2 Expanding the Model
+
+The model that manages C<User> Records is not limited to the plugin's
+definition. It can be expanded by providing an additional schema
+definition. Every column here will be added to the plugin's
+columns. Simply add a schema definition block like this:
+
+    use Jifty::DBI::Schema;
+    use App::Record schema {
+        column 'extra_column_name';
+
+        column 'mygroup' =>
+               valid_values are qw/admin moderator user/,
+               default is 'user';
+
+        # more columns if necessary
+    };
+
+The full syntax for defining a schema can be found in
+L<Jifty::Manual::Models> or in L<Jifty::DBI::Schema>.
+
+If you want to manage an admin group, you must protect the group column 
+as only a superuser can change it.
+Then, you override C<current_user_can> in C<App::Model::User> 
+
+    sub current_user_can {
+        my $self = shift;
+        my $type = shift;
+        my %args = (@_);
+
+        return 0 
+            if ( $type eq 'update'
+                and !$self->current_user->is_superuser
+                and $args{'column'} eq 'mygroup' ); 
+
+
+        return 1;
+    }
+
+Defining a method C<_init> in your C<App::CurrentUser> class gives you
+a chance to add more data to the C<CurrentUser> object. This method
+will automatically get called after the Plugin's C<_init> is done.
+
+    package App::CurrentUser;
+
+    use strict;
+    use warnings;
+
+    use base qw(Jifty::CurrentUser);
+
+    __PACKAGE__->mk_accessors(qw(group));
+
+    sub _init {
+        my $self = shift;
+        my %args = (@_);
+
+        if (keys %args) {
+            $self->user_object(App::Model::User->new(current_user => $self));
+            $self->user_object->load_by_cols(%args);
+
+            if ( $self->user_object->mygroup eq 'admin') {
+                $self->is_superuser(1);
+            };
+
+            $self->group($self->user_object->mygroup);
+        };
+        $self->SUPER::_init(%args);
+    };
+
+With your C<App::CurrentUser>, users in group admin are superuser and you can 
+use C<< Jifty->web->current_user->group >> in your application.
+
+=head2 Templates defined by the C<Authentication::Password> plugin
+
+To avoid the need for repetitive work, the C<Authentication::Password> plugin already
+defines a couple of usable templates:
+
+=over 4
+
+=item F</login>
+
+provides a login screen with a signup option. After
+successful login, the current continuation is called. If no
+continuation exists, the template sitting at the base URL (F</>) is called.
+
+=item F</logout>
+
+logs out the current user.
+
+=item F</signup>
+
+allows a user to sign up himself/herself. By default
+a confirmation mail is sent out that has to get followed by
+the user.
+
+=item F</passwordreminder>
+
+after entering his/her mail address, the user will receive a mail that
+contains a link to F</let/reset_lost_password>.
+
+=item F</let/confirm_email>
+
+is called in the mail and results in accepting the user.
+
+=item F</let/reset_lost_password>
+
+enabled by the passwordreminder template, this template allows a user
+to reenter a password for future use.
+
+=back
+
+=head2 Doing checks at other places in your code
+
+If you need to check more than Model-based record operations you will
+have to do some coding on your own. C<< Jifty->web->current_user >> provides a
+C<App::CurrentUser> object that can get queried about the current user.
+This object provides some convenience methods:
+
+=over 4
+
+=item C<username>
+
+returns the name of the current user or C<undef> if not logged in.
+
+=item C<id>
+
+returns the id of the current user or C<undef> if not logged in.
+
+=back
+
+=head1 SEE ALSO
+
+L<Jifty::CurrentUser>, L<Jifty::Record>, L<Jifty::RightsFrom>, L<Jifty::Plugin::Authentication::Ldap>, L<Jifty::Plugin::Authentication::CAS> 
+
+=cut

More information about the Jifty-commit mailing list