Skip Menu |

This queue is for tickets about the Catalyst-Manual CPAN distribution.

Report information
The Basics
Id: 33106
Status: resolved
Priority: 0/
Queue: Catalyst-Manual
People
Owner: Nobody in particular
Requestors: foohonpie [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Feb 11 01:38:29 2008 foohonpie [...] gmail.com - Ticket created
Subject: Catalyst::Manual::Tutorial::Authorization (ACL Rules Error)
I found this out accidentily. It is easily overlooked and may cause people trouble later. The section "Add ACL Rules to the Application Class" contains the following: __PACKAGE__->deny_access_unless( "/books/delete", [qw/user admin/], ); and describes it as such: "allows both users and admins to delete books" however, the Catalyst::Plugin::Authorization::ACL docs say this: "if allow_access_if is used, the presence of all the roles will immediately permit access, and if deny_access_unless is used the lack of any of the roles will immediately deny access." Which would mean the third rule should be written as this: __PACKAGE__->deny_access_unless( "/books/delete", [qw/user/], ); assuming any admins will also have regular user privs, this would be the proper way to allow users and admins to use books/delete. Otherwise, users won't be allowed this action because they don't satisfy both role requirements.
  Sat Feb 28 11:34:54 2009 HKCLARK [...] cpan.org - Correspondence added
Looks like this was resolved in: http://dev.catalystframework.org/svnweb/Catalyst/revision?rev=9140
  Sat Feb 28 11:34:54 2009 The RT System itself - Status changed from 'new' to 'open'
  Sat Feb 28 11:34:55 2009 HKCLARK [...] cpan.org - Status changed from 'open' to 'resolved'