Bug #42195 for Catalyst-Plugin-Authorization-ACL: Catalyst-Plugin-Authorization-ACL rule weirdness

Tue Jan 06 17:30:26 2009 gsomlo [...] gmail.com - Ticket created

CC:	hkclark [...] gmail.com
Subject:	Catalyst-Plugin-Authorization-ACL rule weirdness
Date:	Tue, 6 Jan 2009 17:30:01 -0500
To:	bug-Catalyst-Plugin-Authorization-ACL [...] rt.cpan.org
From:	"L. Gabriel Somlo" <gsomlo [...] gmail.com>

Hi, I'm trying to follow the Catalyst tutorial (the Authorization part specifically) at http://cpansearch.perl.org/~hkclark/Catalyst-Manual-5.7016/lib/Catalyst/Manual/Tutorial/Authorization.pod That tutorial, as well as the docs for Catalyst-Plugin-Authorization-ACL seem to suggest that doing __PACAKGE__->deny_access_unless( "/foo/bar", [qw/admin user/] ); will allow access if either admin OR user roles are present. As it turns out, I am only allowed access when BOTH roles are present simultaneously. Is this a bug or am I doing something wrong ? Thanks, --Gabriel

Tue Jan 06 17:44:14 2009 rkitover [...] cpan.org - Correspondence added

Subject:	Re: [rt.cpan.org #42195] Catalyst-Plugin-Authorization-ACL rule weirdness
Date:	Tue, 06 Jan 2009 14:43:53 -0800
To:	bug-Catalyst-Plugin-Authorization-ACL [...] rt.cpan.org
From:	Rafael Kitover <rkitover [...] io.com>

In the docs under "Role Lists" it says: "When the role is evaluated the Catalyst::Plugin::Authorization::Roles will be used to check whether the currently logged in user has the specified roles." So yes, it checks all the roles in the list. If you want to check for either role, do something like this, described in "Flexible Rules": use Catalyst::Plugin::Authorization::ACL::Engine qw/$ALLOWED $DENIED/; __PACAKGE__->deny_access_unless( "/foo/bar", sub { my ($c, $action) = @_; if ($c->check_any_user_role(qw/admin user/)) { die $ALLOWED; } else { die $DENIED; } } ); Perhaps we should have a syntax to make this easier? L. Gabriel Somlo via RT wrote: Show quoted text

> Tue Jan 06 17:30:26 2009: Request 42195 was acted upon. > Transaction: Ticket created by gsomlo@gmail.com > Queue: Catalyst-Plugin-Authorization-ACL > Subject: Catalyst-Plugin-Authorization-ACL rule weirdness > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: gsomlo@gmail.com > Status: new > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=42195 > > > > Hi, I'm trying to follow the Catalyst tutorial (the Authorization part > specifically) at > http://cpansearch.perl.org/~hkclark/Catalyst-Manual-5.7016/lib/Catalyst/Manual/Tutorial/Authorization.pod > > That tutorial, as well as the docs for Catalyst-Plugin-Authorization-ACL > seem to suggest that doing > > __PACAKGE__->deny_access_unless( "/foo/bar", [qw/admin user/] ); > > will allow access if either admin OR user roles are present. As it > turns out, I am only allowed access when BOTH roles are present > simultaneously. > > Is this a bug or am I doing something wrong ? > > Thanks, > --Gabriel >

Tue Jan 06 17:44:14 2009 The RT System itself - Status changed from 'new' to 'open'

Tue Jan 06 19:44:17 2009 gsomlo [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #42195] Catalyst-Plugin-Authorization-ACL rule weirdness
Date:	Tue, 6 Jan 2009 19:43:54 -0500
To:	Rafael Kitover via RT <bug-Catalyst-Plugin-Authorization-ACL [...] rt.cpan.org>
From:	"L. Gabriel Somlo" <gsomlo [...] gmail.com>

On Tue, Jan 06, 2009 at 05:44:15PM -0500, Rafael Kitover via RT wrote: Show quoted text

> <URL: http://rt.cpan.org/Ticket/Display.html?id=42195 > > > "When the role is evaluated the Catalyst::Plugin::Authorization::Roles will be used to check whether the currently logged in user > has the specified roles." > > So yes, it checks all the roles in the list.

Oh, ok. I got confused by the nested Boolean logic in the docs :) but upon further reading the docs are matching the behavior... Show quoted text

> If you want to check for either role, do something like this, described in "Flexible Rules": > > use Catalyst::Plugin::Authorization::ACL::Engine qw/$ALLOWED $DENIED/; > > __PACAKGE__->deny_access_unless( "/foo/bar", sub { > my ($c, $action) = @_; > if ($c->check_any_user_role(qw/admin user/)) { > die $ALLOWED; > } else { > die $DENIED; > } > } );

Thanks, this example will come in handy ! Show quoted text

> Perhaps we should have a syntax to make this easier?

Dunno, maybe deny_access_unless_all(path, list) could be an alias for the current deny_access_unless(path, list), and there could be an additional method deny_access_unless_some(path, list) which would be implemented using the "or" example you gave ? And similarly allow_access_if_all == allow_access_if, and the additional allow_access_if_some which would allow access if at least one of the user's roles matches one item on the list... Just $0.02 from a clueless newb :) Thanks again for the explanation, and sorry about the noise Cheers, --Gabriel Show quoted text

> > L. Gabriel Somlo via RT wrote:

> > Tue Jan 06 17:30:26 2009: Request 42195 was acted upon. > > Transaction: Ticket created by gsomlo@gmail.com > > Queue: Catalyst-Plugin-Authorization-ACL > > Subject: Catalyst-Plugin-Authorization-ACL rule weirdness > > Broken in: (no value) > > Severity: (no value) > > Owner: Nobody > > Requestors: gsomlo@gmail.com > > Status: new > > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=42195 > > > > > > > Hi, I'm trying to follow the Catalyst tutorial (the Authorization part > > specifically) at > > http://cpansearch.perl.org/~hkclark/Catalyst-Manual-5.7016/lib/Catalyst/Manual/Tutorial/Authorization.pod > > > > That tutorial, as well as the docs for Catalyst-Plugin-Authorization-ACL > > seem to suggest that doing > > > > __PACAKGE__->deny_access_unless( "/foo/bar", [qw/admin user/] ); > > > > will allow access if either admin OR user roles are present. As it > > turns out, I am only allowed access when BOTH roles are present > > simultaneously. > > > > Is this a bug or am I doing something wrong ? > > > > Thanks, > > --Gabriel > >

> >

Tue Jan 06 19:53:16 2009 gsomlo [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #42195] Catalyst-Plugin-Authorization-ACL rule weirdness
Date:	Tue, 6 Jan 2009 19:52:55 -0500
To:	Rafael Kitover via RT <bug-Catalyst-Plugin-Authorization-ACL [...] rt.cpan.org>
From:	"L. Gabriel Somlo" <gsomlo [...] gmail.com>

Also, now that I look closer, it seems to be a known bug in the tutorial itself: http://rt.cpan.org/Public/Bug/Display.html?id=33106 Thanks, --Gabriel On Tue, Jan 06, 2009 at 05:44:15PM -0500, Rafael Kitover via RT wrote: Show quoted text

> <URL: http://rt.cpan.org/Ticket/Display.html?id=42195 > > > In the docs under "Role Lists" it says: > > "When the role is evaluated the Catalyst::Plugin::Authorization::Roles will be used to check whether the currently logged in user > has the specified roles." > > So yes, it checks all the roles in the list. > > If you want to check for either role, do something like this, described in "Flexible Rules": > > use Catalyst::Plugin::Authorization::ACL::Engine qw/$ALLOWED $DENIED/; > > __PACAKGE__->deny_access_unless( "/foo/bar", sub { > my ($c, $action) = @_; > if ($c->check_any_user_role(qw/admin user/)) { > die $ALLOWED; > } else { > die $DENIED; > } > } ); > > Perhaps we should have a syntax to make this easier? > > L. Gabriel Somlo via RT wrote:

> > Tue Jan 06 17:30:26 2009: Request 42195 was acted upon. > > Transaction: Ticket created by gsomlo@gmail.com > > Queue: Catalyst-Plugin-Authorization-ACL > > Subject: Catalyst-Plugin-Authorization-ACL rule weirdness > > Broken in: (no value) > > Severity: (no value) > > Owner: Nobody > > Requestors: gsomlo@gmail.com > > Status: new > > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=42195 > > > > > > > Hi, I'm trying to follow the Catalyst tutorial (the Authorization part > > specifically) at > > http://cpansearch.perl.org/~hkclark/Catalyst-Manual-5.7016/lib/Catalyst/Manual/Tutorial/Authorization.pod > > > > That tutorial, as well as the docs for Catalyst-Plugin-Authorization-ACL > > seem to suggest that doing > > > > __PACAKGE__->deny_access_unless( "/foo/bar", [qw/admin user/] ); > > > > will allow access if either admin OR user roles are present. As it > > turns out, I am only allowed access when BOTH roles are present > > simultaneously. > > > > Is this a bug or am I doing something wrong ? > > > > Thanks, > > --Gabriel > >

> >

Wed Sep 30 18:38:29 2009 rkitover [...] cpan.org - Correspondence added

We've added 'deny_access_unless_any' in 0.14 for any role in a list. -- Rafael

Wed Sep 30 18:38:31 2009 rkitover [...] cpan.org - Status changed from 'open' to 'resolved'