Skip Menu |

This queue is for tickets about the Catalyst-Plugin-AutoCRUD CPAN distribution.

Report information
The Basics
Id: 55742
Status: resolved
Priority: 0/
Queue: Catalyst-Plugin-AutoCRUD
People
Owner: Nobody in particular
Requestors: ovid [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.68
Fixed in: (no value)

History Show all quoted text
  Sat Mar 20 12:12:05 2010 ovid [...] cpan.org - Ticket created
Subject: Breaks all "non autocrud" URLs.
This is an absolutely lovely module and I'd love to integrate it with my app, but I have some issues: 1. It breaks my app badly. It states "If you already have a Catalyst app with DBIx::Class models configured", you only have to add AutoCRUD to the app config. When I go to localhost:3000/autocrud, it works great. When I go to localhost:3000/ (or any other url aside from /autocrud), it breaks with: You can connect to your server at http://curtis-poes-computer- 3.local:3000 [warn] Calling $c->view() will return a random view unless you specify one of: [warn] * $c->config(default_view => "the name of the default view to use") [warn] * $c->stash->{current_view} # the name of the view to use for this request [warn] * $c->stash->{current_view_instance} # the instance of the view to use for this request [warn] NB: in version 5.81, the "random" behavior will not work at all. [error] Caught exception in Veure::View::AutoCRUD::JSON->process "must provide object to convert at /Library/Perl/5.10.1/Catalyst/View/JSON.pm line 44" I can't tell why from the docs. CRUD is (currently) a low priority for me, so I stopped using it as I don't (yet) need this feature. 2. It also states "No two columns in a given table may have the same FK constraint". That breaks a particular use case I have. Particularly, my "email" table has a "to_id" and a "from_id", both pointing to the same table. 3. It's not clear from the docs (to me) how to restrict access. I'm using Catalyst::Controller::ActionRole and a custom role to ensure that certain urls can only be accessed by those with admin privileges. I can't tell how to hook this into AutoCRUD. I suppose I could write a custom subclass of the plugin, so this is the least of my issues. Cheers, Ovid
  Sun Mar 21 04:38:14 2010 oliver.gorwits [...] oucs.ox.ac.uk - Correspondence added
Subject: Re: [rt.cpan.org #55742] Breaks all "non autocrud" URLs.
Date: Sun, 21 Mar 2010 08:38:00 +0000
To: bug-Catalyst-Plugin-AutoCRUD [...] rt.cpan.org
From: Oliver Gorwits <oliver.gorwits [...] oucs.ox.ac.uk>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ovid, First, thanks for the feedback and for taking a look at my module. I'm sorry that it's not working out for you so far - the intention _is_ to be plug and play! On 20/03/2010 16:12, Curtis 'Ovid' Poe via RT wrote: Show quoted text
> [warn] Calling $c->view() will return a random view unless you > specify one of:
I'm familiar with this issue, but I'm not certain that in this case it originates within AutoCRUD. As the message says, $c->view() is deprecated and users ought to be explicit about the view they want. Seeing as I am explicit in AutoCRUD ($c->stash->{current_view} being set) I assume $c->view() is called somewhere else in your app and it's landing [randomly] at the AutoCRUD::JSON view. Please could you search your code for any instances of $c->view() ? If you find none, could you let me know the version of Catalyst, and Catalyst::View::JSON that you have installed, as well as a list of the other Views currently available in your App? Show quoted text
> 2. It also states "No two columns in a given table may have the same FK > constraint". > > That breaks a particular use case I have. Particularly, my "email" table > has a "to_id" and a "from_id", both pointing to the same table.
Yes this documented limitation could be fixed but I just don't have the tuits right now. Having said that, I have a track record of working on issues once a user pipes up, so consider yourself having piped :-) It will likely be several weeks before I eat this frog. Show quoted text
> 3. It's not clear from the docs (to me) how to restrict access.
This has more to do with the philosophy of AutoCRUD. It's meant as a tool for the application developer more than the end user, so I have never focused on authZ. Having said that, you should be able to match on the AutoCRUD paths within your custom ACL role because they are quite predictable: /autocrud/* - obviously just your admins /autocrud/<db-name>/<table> will be the page for any table The AJAX calls use the RPC form: /autocrud/site/default/schema/<db-name>/source/<table>/<action> Where <action> is one of: create list update delete list_stringified dumpmeta (not used by the app, but interesting for troubleshooting) In addition you can enable/disable the separate CRUD operations on a per-table basis, but this applies to the whole app rather than one user. See the Docs for more details. I hope this helps, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkul2ugACgkQ2NPq7pwWBt7UywCgukdcyrricHBRPNTycyNaIlEI fu0AoLmRaIQm1uULxFn7+8x4hauEZ8T4 =BzTJ -----END PGP SIGNATURE-----
  Sun Mar 21 04:38:15 2010 The RT System itself - Status changed from 'new' to 'open'
  Sun Mar 21 04:53:51 2010 ovid [...] cpan.org - Correspondence added
Hi Oliver, Thanks for getting back to me. Show quoted text
> On 20/03/2010 16:12, Curtis 'Ovid' Poe via RT wrote:
> > [warn] Calling $c->view() will return a random view unless you > > specify one of:
> > I'm familiar with this issue, but I'm not certain that in this case > it originates within AutoCRUD. As the message says, $c->view() is > deprecated and users ought to be explicit about the view they want.
As it turns out, my view is named HTML, not TT. By setting "default_view HTML" in my config, this problem goes away. Show quoted text
> Yes this documented limitation could be fixed but I just don't have > the tuits right now. Having said that, I have a track record of > working on issues once a user pipes up, so consider yourself having > piped :-) It will likely be several weeks before I eat this frog.
Fair enough :) Show quoted text
> Having said that, you should be able to match on the AutoCRUD paths > within your custom ACL role because they are quite predictable: > > /autocrud/* - obviously just your admins > /autocrud/<db-name>/<table> will be the page for any table
That works for me. Thanks for your help. Cheers, Ovid
  Sun Mar 21 05:30:22 2010 oliver.gorwits [...] oucs.ox.ac.uk - Correspondence added
Subject: Re: [rt.cpan.org #55742] Breaks all "non autocrud" URLs.
Date: Sun, 21 Mar 2010 09:30:11 +0000
To: bug-Catalyst-Plugin-AutoCRUD [...] rt.cpan.org
From: Oliver Gorwits <oliver.gorwits [...] oucs.ox.ac.uk>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ovid, On 21/03/2010 08:53, Curtis 'Ovid' Poe via RT wrote: Show quoted text
>> Having said that, you should be able to match on the AutoCRUD paths >> within your custom ACL role because they are quite predictable:
> > That works for me.
One other thing - you're not the first to ask about AuthZ for AutoCRUD, so I was wondering: is any of your App's code going to be released publicly? I might add a recipe for AuthZ based on an ACL role to the docs in a future release and it'd be good to have some code to crib, as I've not done this myself before. regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkul5yMACgkQ2NPq7pwWBt5hKQCfevb/se+UeAnwtPNflEO6TQPa kJIAoIdt2NMENriifsqZZu0E8cdZPxUM =Zp8J -----END PGP SIGNATURE-----
  Sun Mar 21 05:51:43 2010 curtis_ovid_poe [...] yahoo.com - Correspondence added
Subject: Re: [rt.cpan.org #55742] Breaks all "non autocrud" URLs.
Date: Sun, 21 Mar 2010 02:51:33 -0700 (PDT)
To: bug-Catalyst-Plugin-AutoCRUD [...] rt.cpan.org
From: Ovid <curtis_ovid_poe [...] yahoo.com>
Show quoted text
----- Original Message ----
> From: "oliver.gorwits@oucs.ox.ac.uk via RT" <bug-Catalyst-Plugin-AutoCRUD@rt.cpan.org>
> One other > thing - you're not the first to ask about AuthZ for AutoCRUD, so I was > wondering: is any of your App's code going to be released publicly?
Regrettably, no, it will not be released publicly. However, it looks like AutoCRUD, while excellent, has enough issues that if we use it for admins, it will likely be hosted on a separate domain from our actual application just to ensure we have no security worries (it would suck to miss something important and find out that clever URL hacking bites us). Cheers, Ovid-- Buy the book - http://www.oreilly.com/catalog/perlhks/ Tech blog - http://blogs.perl.org/users/ovid/ Twitter - http://twitter.com/OvidPerl Official Perl 6 Wiki - http://www.perlfoundation.org/perl6
  Sun Mar 21 05:56:46 2010 oliver.gorwits [...] oucs.ox.ac.uk - Correspondence added
Subject: Re: [rt.cpan.org #55742] Breaks all "non autocrud" URLs.
Date: Sun, 21 Mar 2010 09:56:34 +0000
To: bug-Catalyst-Plugin-AutoCRUD [...] rt.cpan.org
From: Oliver Gorwits <oliver.gorwits [...] oucs.ox.ac.uk>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21/03/2010 09:51, Ovid via RT wrote: Show quoted text
> However, it > looks like AutoCRUD, while excellent, has enough issues that if > we use it for admins, it will likely be hosted on a separate > domain from our actual application just to ensure we have no > security worries (it would suck to miss something important and > find out that clever URL hacking bites us).
I fully support that - with chained dispatch in Catalyst there can end up being multiple paths to the same action which makes authZ tricky. I'm not certain I even gave you the full list of possible paths, before. I plan to add that to the docs in the next release now you've raised the issue. Never mind about seeing your AuthZ code - I'll work something out. Thanks for the quick reply. regards, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkul7VIACgkQ2NPq7pwWBt5XeQCfbBQr61hibvhqWly9tybbhP9C hIEAoPkPMDyEh9cLKR70HMkqFfOZcO5x =k2Kn -----END PGP SIGNATURE-----
  Sun Dec 12 15:14:15 2010 OLIVER [...] cpan.org - Correspondence added
I'm resolving this ticket and creating in its place a couple of enhancement tasks in my tracker: 1) document the AJAX API 2) related to this, add a discussion of AuthZ to the documentation regards, oliver. -- regards, oliver.
  Sun Dec 12 15:14:16 2010 OLIVER [...] cpan.org - Status changed from 'open' to 'resolved'