On Tue, Dec 11, 2012 at 11:25:00AM +0000, David Precious wrote:
Whilst I really like the (ab)use of subroutine attributes for denoting which routes require authentication/specific roles, some people (whose opinions I respect) have tried to convince me that this is a Bad Idea, and is likely to be fragile.
One particularly good point made is that the current implementation stores the attributes for a given route handler by the refaddr, which could be problematic if run under threads ...
... or under the debugger, as David P and I know all too well :-)
One suggestion was to provide a new keyword, e.g. requires_auth, which would work something like:
get '/secret' => requires_login(sub { .... });
get '/beer' => requires_role('BeerDrinker', sub { ... });
(Something along those lines, at least.) I'm certain how I would implement it, though - i.e. how requires_login/requires_role would store the fact that the provided sub requires auth, without the same thread safety issues of using refaddr.
That's easy. requires_role() constructs a subroutine that does the authentication and then hands off to the supplied sub. Something like this: sub requires_role { my $role = shift; my $handler = shift; my $fail_handler = shift; return sub { if(currently_logged_in_as($role)) { return $handler->(); } else { return $fail_handler->(); } } } -- David Cantrell | top google result for "topless karaoke murders" "Cynical" is a word used by the naive to describe the experienced. George Hills, in uknot