libcatalyst-actionrole-acl-perl 0.07-1 / usr / share / perl5 / Catalyst / ActionRole / ACL.pm

This file is indexed.

/usr/share/perl5/Catalyst/ActionRole/ACL.pm is in libcatalyst-actionrole-acl-perl 0.07-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
package Catalyst::ActionRole::ACL;
use Moose::Role;
use namespace::autoclean;

use vars qw($VERSION);
$VERSION = '0.07'; # REMEMBER TO BUMP VERSION IN Action::Role::ACL ALSO!

=head1 NAME

Catalyst::ActionRole::ACL - User role-based authorization action class

=head1 SYNOPSIS

 package MyApp::Controller::Foo;
 use Moose;
 use namespace::autoclean;

 BEGIN { extends 'Catalyst::Controller' }

 sub foo
 :Local
 :Does(ACL)
 :RequiresRole(admin)
 :ACLDetachTo(denied)
 {
     my ($self, $c) = @_;
     ...
 }

 sub denied :Private {
     my ($self, $c) = @_;

     $c->res->status('403');
     $c->res->body('Denied!');
 }

=head1 DESCRIPTION

Provides a reusable action role
for user role-based authorization.
ACLs are applied via the assignment of attributes to
application action subroutines.

=head1 REQUIRED ATTRIBUTES

Failure to include the following required attributes will result in an exception
when the ACL::Role action's constructor is called.

=head2 ACLDetachTo

The name of an action to which the request should be detached if it is
determined that ACLs are not satisfied for this user and the resource he
is attempting to access.

=head2 RequiresRole and AllowedRole

The action must include at least one of these attributes, otherwise the Role::ACL
constructor will throw an exception.

=head1 Processing of ACLs

One or more roles may be associated with an action.

User roles are fetched via the invocation of the context "user" object's "roles"
method.

Roles specified with the RequiresRole attribute are checked before roles
specified with the AllowedRole attribute.

The mandatory ACLDetachTo attribute specifies the name of the action to which
execution will detach on access violation.

ACLs may be applied to chained actions so that different roles are required or
allowed for each link in the chain (or no roles at all).

ACLDetachTo allows us to short-circuit traversal of an action chain as soon as
access is denied to one of the actions in the chain by its ACL.

=head2 Examples

 # this is an invalid action
 sub broken
 :Local
 :Does(ACL)
 {
     my ($self, $c) = @_;
     ...
 }

 This action will cause an exception because it's missing the ACLDetachTo attribute
 and has neither a RequiresRole nor an AllowedRole attribute. A Role::ACL action
 must include at least one RequiresRole or AllowedRole attribute.

 sub foo
 :Local
 :Does(ACL)
 :RequiresRole(admin)
 :ACLDetachTo(denied)
 {
     my ($self, $c) = @_;
     ...
 }

This action may only be executed by users with the 'admin' role.

 sub bar :Local
 :Does(ACL)
 :RequiresRole(admin)
 :AllowedRole(editor)
 :AllowedRole(writer)
 :ACLDetachTo(denied)
 {
     my ($self, $c) = @_;
     ...
 }

This action requires that the user has the 'admin' role and
either the 'editor' or 'writer' role (or both).

 sub easy :Local
 :Does(ACL)
 :AllowedRole(admin)
 :AllowedRole(user)
 :ACLDetachTo(denied)
 {
     my ($self, $c) = @_;
     ...
 }

Any user with either the 'admin' or 'user' role may execute this action.

=head1 WRAPPED METHODS

=cut

=head2 C<BUILD( $args )>

Throws an exception if parameters are missing or invalid.

=cut

sub BUILD { }

after BUILD => sub {
    my $class = shift;
    my ($args) = @_;

    my $attr = $args->{attributes};

    unless (exists $attr->{RequiresRole} || exists $attr->{AllowedRole}) {
        Catalyst::Exception->throw(
            "Action '$args->{reverse}' requires at least one RequiresRole or AllowedRole attribute");
    }
    unless (exists $attr->{ACLDetachTo} && $attr->{ACLDetachTo}) {
        Catalyst::Exception->throw(
            "Action '$args->{reverse}' requires the ACLDetachTo(<action>) attribute");
    }
};

=head2 C<execute( $controller, $c )>

Overrides &Catalyst::Action::execute.

In order for delegation to occur, the context 'user' object must exist (authenticated user) and
the C<can_visit> method must return a true value.

See L<Catalyst::Action|METHODS/action>

=cut

around execute => sub {
    my $orig = shift;
    my $self = shift;
    my ($controller, $c) = @_;

    if ($c->user) {
        if ($self->can_visit($c)) {
            return $self->$orig(@_);
        }
    }

    my $denied = $self->attributes->{ACLDetachTo}[0];

    $c->detach($denied);
};

=head2 C<can_visit( $c )>

Return true if the authenticated user can visit this action.

This method is useful for determining in advance if a user can execute
a given action.

=cut

sub can_visit {
    my ($self, $c) = @_;

    my $user = $c->user;

    return unless $user;

    return unless
        $user->supports('roles') && $user->can('roles');

    my %user_has = map {$_,1} $user->roles;

    my $required = $self->attributes->{RequiresRole};
    my $allowed = $self->attributes->{AllowedRole};

    if ($required && $allowed) {
        for my $role (@$required) {
            return unless $user_has{$role};
        }
        for my $role (@$allowed) {
            return 1 if $user_has{$role};
        }
        return;
    }
    elsif ($required) {
        for my $role (@$required) {
            return unless $user_has{$role};
        }
        return 1;
    }
    elsif ($allowed) {
        for my $role (@$allowed) {
            return 1 if $user_has{$role};
        }
        return;
    }

    return;
}

1;

=head1 AUTHOR

David P.C. Wollmann E<lt>converter42@gmail.comE<gt>

=head1 CONTRIBUTORS

Converted from an action class to an action role by Tomas Doran (t0m)

=head1 BUGS

This is new code. Find the bugs and report them, please.

=head1 COPYRIGHT & LICENSE

Copyright 2009 by David P.C. Wollmann

This program is free software; you can redistribute it and/or modify it under
the same terms as Perl itself.

APT Browse - Built by Thomas Orozco.