Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Catalyst: Users

ACL Error: deny_access_unless

  

 
Catalyst users RSS feed   Index | Next | Previous | View Threaded


gordon at gorste

May 23, 2009, 9:21 AM

Post #1 of 14 (1346 views)
Permalink
ACL Error: deny_access_unless
Dear List

Has anyone have any issues with:

Catalyst::Plugin::Authorization::ACL 0.11 |
Catalyst::Plugin::Authorization::Roles 0.07

i am adding some access control to my catalyst application. When I start
up my application I see the following:

Class Catalyst::Dispatcher is calling the deprecated method
Catalyst::Dispatcher::tree,
this will be removed in Catalyst 5.9X at
/usr/local/share/perl/5.8.8/Catalyst/Dispatcher.pm line 713.

The access control section:

__PACKAGE__->deny_access_unless( "/admin/user", [ 'Admin' ] );

fails every time, regardless if the user has the right or not.

The same code works on catalyst 5.7012. There also does not seam to be
any documentation for using Catalyst 5.80002.

Can any one help in resolving this issue I am facing.

Regards

Gordon




_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


gordon at gorste

May 25, 2009, 12:59 PM

Post #2 of 14 (1269 views)
Permalink
RE: ACL Error: deny_access_unless [In reply to]
Dear List

Does anyone know where in the catalyst code it contacts the database to
check if a user has the rights in question? I have looked into the catalyst
code (Catalyst/Plugin/Authorization/ACL/Engine.pm )and found out that the
function in question is returning "Denied" without contacting the database.
I know it is not contacting the database because I have turn on the Mysql
logs and see no sql query.

I am running the most up to date version of the catalyst code (5.8004).

Has any one got roles and ACL working in Catalyst 5.8004

Regards

Gordon Stewart

-----Original Message-----
From: gordon[at]gorste.plus.com [mailto:gordon[at]gorste.plus.com]
Sent: 23 May 2009 17:22
To: catalyst[at]lists.scsys.co.uk
Subject: [Catalyst] ACL Error: deny_access_unless

Dear List

Has anyone have any issues with:

Catalyst::Plugin::Authorization::ACL 0.11 |
Catalyst::Plugin::Authorization::Roles 0.07

i am adding some access control to my catalyst application. When I start
up my application I see the following:

Class Catalyst::Dispatcher is calling the deprecated method
Catalyst::Dispatcher::tree,
this will be removed in Catalyst 5.9X at
/usr/local/share/perl/5.8.8/Catalyst/Dispatcher.pm line 713.

The access control section:

__PACKAGE__->deny_access_unless( "/admin/user", [ 'Admin' ] );

fails every time, regardless if the user has the right or not.

The same code works on catalyst 5.7012. There also does not seam to be
any documentation for using Catalyst 5.80002.

Can any one help in resolving this issue I am facing.

Regards

Gordon




_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/



_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


bobtfish at bobtfish

May 26, 2009, 4:25 AM

Post #3 of 14 (1265 views)
Permalink
Re: ACL Error: deny_access_unless [In reply to]
Gordon Stewart wrote:
> Does anyone know where in the catalyst code it contacts the database to
> check if a user has the rights in question?

It should be calling $c->user->roles, and this gets the list of roles
for the user in question.

How this lookup is performed will vary depending on which authentication
store you're using, how it's configured etc.

I have looked into the catalyst
> code (Catalyst/Plugin/Authorization/ACL/Engine.pm )and found out that the
> function in question is returning "Denied" without contacting the database.
> I know it is not contacting the database because I have turn on the Mysql
> logs and see no sql query.
>
> I am running the most up to date version of the catalyst code (5.8004).
>
> Has any one got roles and ACL working in Catalyst 5.8004

There have been a few people having problems with this.

I know that I fixed ACL to work with Catalyst 5.80 specifically, in that
I had to do some work to make it pass all of it's tests. However,
obviously, as people are having issues - the tests may not be
comprehensive enough..

So I guess we need to produce a minimal TestApp demonstrating the issue,
and then we can either fix ACL, or fix core Catalyst as appropriate to
sort the issue out.

This minimal test app would use the minimal authentication store (so no
DB needed), and just demonstrate the issue (i.e. t/01app.t fails).

If you can produce such a TestApp, then I'll be more than happy to take
a look, or beat someone else into doing so ;)

Cheers
t0m


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


gordon at gorste

May 26, 2009, 1:07 PM

Post #4 of 14 (1251 views)
Permalink
RE: ACL Error: deny_access_unless [In reply to]
Tomas

I have am not using an authentication store, I am just using:

Authentication
Authorization::Roles
Authorization::ACL

Session
Session::Store::FastMmap
Session::State::Cookie


If I include the store:

Authentication::Store::DBIC

Then I just get the following:

You must provide a user_class at /usr/local/share/perl/5.8.8/Catalyst.pm
line 1140

But I am passing the user_class though my yml file:

authorization:
dbic:
user_class: DnsEmail::Rights
#role_class: DnsEmail::Rights
role_field: description
role_rel: accesses
user_role_user_field: user_id

Regards

Gordon

-----Original Message-----
From: Tomas Doran [mailto:bobtfish[at]bobtfish.net]
Sent: 26 May 2009 12:25
To: The elegant MVC web framework
Subject: Re: [Catalyst] ACL Error: deny_access_unless

Gordon Stewart wrote:
> Does anyone know where in the catalyst code it contacts the database to
> check if a user has the rights in question?

It should be calling $c->user->roles, and this gets the list of roles
for the user in question.

How this lookup is performed will vary depending on which authentication
store you're using, how it's configured etc.

I have looked into the catalyst
> code (Catalyst/Plugin/Authorization/ACL/Engine.pm )and found out that the
> function in question is returning "Denied" without contacting the
database.
> I know it is not contacting the database because I have turn on the Mysql
> logs and see no sql query.
>
> I am running the most up to date version of the catalyst code (5.8004).
>
> Has any one got roles and ACL working in Catalyst 5.8004

There have been a few people having problems with this.

I know that I fixed ACL to work with Catalyst 5.80 specifically, in that
I had to do some work to make it pass all of it's tests. However,
obviously, as people are having issues - the tests may not be
comprehensive enough..

So I guess we need to produce a minimal TestApp demonstrating the issue,
and then we can either fix ACL, or fix core Catalyst as appropriate to
sort the issue out.

This minimal test app would use the minimal authentication store (so no
DB needed), and just demonstrate the issue (i.e. t/01app.t fails).

If you can produce such a TestApp, then I'll be more than happy to take
a look, or beat someone else into doing so ;)

Cheers
t0m


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/



_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


bobtfish at bobtfish

May 26, 2009, 2:09 PM

Post #5 of 14 (1249 views)
Permalink
Re: ACL Error: deny_access_unless [In reply to]
On 26 May 2009, at 21:07, Gordon Stewart wrote:

>
> Tomas
>
> I have am not using an authentication store, I am just using:
>
> Authentication
> Authorization::Roles
> Authorization::ACL
>
> Session
> Session::Store::FastMmap
> Session::State::Cookie

No, you are using an authentication store.

Catalyst::Plugin::Authentication loads and instantiates one store and
one credential instance perl realm in your authentication configuration.

Note that this is waaaay more flexible than the session configuration
(where you can only have 1 session store and 1 session state per app)
- session will move in this direction also at some point to be more
flexible.

Anyway, back to the point - rather than using the DBIC authentication
store (or DBIC at all), your test application would be using
Catalyst::Authentication::Store::Minimal (see the POD for a config
example).

Hope that makes it clearer what I'm rambling about?

Cheers
t0m


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


gordon at gorste

May 27, 2009, 12:18 PM

Post #6 of 14 (1223 views)
Permalink
RE: ACL Error: deny_access_unless [In reply to]
Tomas

I have created a test application to use

Catalyst::Authentication::Store::Minimal

But I am still having the same issue.

I am using perl 5.8.8 and ubuntu 8.04 if that has a bearing on why roles are
broken.

How easy is it to downgrade catalyst 5.7012, which I know will work?

Gordon



_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


devin.austin at gmail

May 27, 2009, 12:30 PM

Post #7 of 14 (1223 views)
Permalink
Re: ACL Error: deny_access_unless [In reply to]
Gordon

if you really want to downgrade, it's a matter of doing locate Catalyst.pm
(if you're on a *nix system) and rm -rf-ing from there. From there you'd
obviously have to reinstall 5.7012, be it from source or specifying a
version on CPAN.

However, I think it'd be much more beneficial to get your issue worked out
on your current build (5.8 i'm assuming).

hth,

Devin

On Wed, May 27, 2009 at 1:18 PM, Gordon Stewart <gordon[at]gorste.plus.com>wrote:

>
> Tomas
>
> I have created a test application to use
>
> Catalyst::Authentication::Store::Minimal
>
> But I am still having the same issue.
>
> I am using perl 5.8.8 and ubuntu 8.04 if that has a bearing on why roles
> are
> broken.
>
> How easy is it to downgrade catalyst 5.7012, which I know will work?
>
> Gordon
>
>
>
> _______________________________________________
> List: Catalyst[at]lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>



--
Devin Austin
http://www.codedright.net
http://www.dreamhost.com/r.cgi?326568/hosting.html - Host with DreamHost!


bobtfish at bobtfish

May 28, 2009, 5:25 AM

Post #8 of 14 (1217 views)
Permalink
Re: ACL Error: deny_access_unless [In reply to]
Gordon Stewart wrote:
> I have created a test application to use
>
> Catalyst::Authentication::Store::Minimal
>
> But I am still having the same issue.

Well, yes, I'd expect you would :)

The point of making a minimal test app was so you could show us, and we
could download / play with something without having to setup a database
etc to run your 'real' app, or wade through lots of code.

So, please show us? Either throw it on github, or stick a tarball online..

> How easy is it to downgrade catalyst 5.7012, which I know will work?

Just install it :)

Either download the tarball and perl Makefile.PL && make test && make
install as usual, or you can ask the CPAN shell for
AUTHORNAME/Package-X.YY.tgz and it'll install it.

Cheers
t0m


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


gordon at gorste

May 30, 2009, 8:32 AM

Post #9 of 14 (1173 views)
Permalink
RE: ACL Error: deny_access_unless [In reply to]
Tom

I have created a test app tar ball and put it online. The link is:

http://www.gordonstewart.co.uk/MyApp.tar

I have taken the test app that is online and changed it to use mason and the
most up to date version of catalyst. Is it using the test database, I also
allowed it to use Catalyst::Authentication::Store::Minimal. It can be
configured in the yml file.

I am using the following plugin modules, which I believe to be the most up
to date:

Catalyst::Plugin::Authentication 0.10011
Catalyst::Plugin::Authorization::ACL 0.11
Catalyst::Plugin::Authorization::Roles 0.07
Catalyst::Plugin::ConfigLoader 0.23
Catalyst::Plugin::Session 0.22
Catalyst::Plugin::Session::State::Cookie 0.11
Catalyst::Plugin::Session::Store::FastMmap 0.10
Catalyst::Plugin::StackTrace 0.10
Catalyst::Plugin::Static::Simple 0.21


Thank you for your help

Regards

Gordon




-----Original Message-----
From: Tomas Doran [mailto:bobtfish[at]bobtfish.net]
Sent: 28 May 2009 13:26
To: The elegant MVC web framework
Subject: Re: [Catalyst] ACL Error: deny_access_unless

Gordon Stewart wrote:
> I have created a test application to use
>
> Catalyst::Authentication::Store::Minimal
>
> But I am still having the same issue.

Well, yes, I'd expect you would :)

The point of making a minimal test app was so you could show us, and we
could download / play with something without having to setup a database
etc to run your 'real' app, or wade through lots of code.

So, please show us? Either throw it on github, or stick a tarball online..

> How easy is it to downgrade catalyst 5.7012, which I know will work?

Just install it :)

Either download the tarball and perl Makefile.PL && make test && make
install as usual, or you can ask the CPAN shell for
AUTHORNAME/Package-X.YY.tgz and it'll install it.

Cheers
t0m


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/



_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


bobtfish at bobtfish

May 30, 2009, 12:34 PM

Post #10 of 14 (1172 views)
Permalink
Re: ACL Error: deny_access_unless [In reply to]
On 30 May 2009, at 16:32, Gordon Stewart wrote:

> I am using the following plugin modules, which I believe to be the
> most up
> to date:

Your Makefile.PL doesn't say this.

I tried to fix this, but something in the dependency stack of
DBIx::Class::HTMLWidget fails to install for me.

Can you trim this down a bit more - for example I don't see why you
need a view at all (the action you want to get to could just set $c-
>req->body('OK')), or a database - given you're already using the
minimal auth store so users aren't being authenticated from the
database..

I appreciate that there appear to be some fairly good tests in t/
live_app01.t, but I think you can cut these (and the app) down a lot
to just demonstrating the issue you're having..

Cheers
t0m



_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


gordon at gorste

May 30, 2009, 3:17 PM

Post #11 of 14 (1167 views)
Permalink
RE: ACL Error: deny_access_unless [In reply to]
Tom

> I tried to fix this, but something in the dependency stack of
> DBIx::Class::HTMLWidget fails to install for me.

I have removed this

> I appreciate that there appear to be some fairly good tests in t/
> live_app01.t, but I think you can cut these (and the app) down a lot
> to just demonstrating the issue you're having..

I have removed the tests that do not show off the problem I am facing, the
tests shows it is falling around request 14/15 as user test01 has admin
rights.

The new tar ball is at http://www.gordonstewart.co.uk/MyApp_v2.tar

Regards

Gordon



_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


bobtfish at bobtfish

Jun 2, 2009, 6:11 PM

Post #12 of 14 (1085 views)
Permalink
Re: ACL Error: deny_access_unless [In reply to]
On 30 May 2009, at 23:17, Gordon Stewart wrote:

> Tom
>
>> I tried to fix this, but something in the dependency stack of
>> DBIx::Class::HTMLWidget fails to install for me.
>
> I have removed this

Ok, that wasn't much better:

, Makefile.PL in your tarball is still fucked (i.e. missing most of
your dependencies).

. The config you've shipped with the app is pointed at your local
mysql, not at sqlite.

. Your password credential config is asking for cleartext passwords,
but the passwords in the sqlite DB (which is what the app was
configured for) was encrypted.

. There are failing tests which aren't ever going to pass, like t/
controller_Admin.t which checks for /admin without logging in..

. The tests in t/live_app01.t fail incorrectly, and don't actually
test the issue you described.

I have fixed all of this and got your app working, but I can't
reproduce the bug you originally described.

http://omni.state51.co.uk/~t0m/MyApp.tgz - there is your tarball
back, with git history of everything I did for your perusal.

However, I think I may have guessed what your issue is.. Going back
to your original email:

> The access control section:
>
> __PACKAGE__->deny_access_unless( "/admin/user", [ 'Admin' ] );

And in your template, you had:

> User has admin : <% $c->check_user_roles('Admin') %><br>

However, your sqlite DB looked like this:

sqlite3 myapp.db
SQLite version 3.6.11
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from roles;
1|user
2|admin
sqlite>

The cases don't match, and I had to correct these before things would
work.

Do you have a real issue which you can replicate by flicking
backwards and forwards between Catalyst 5.80 and 5.70, or did you
just break things around the same time as upgrading?

I am happy to help out if their is a genuine bug here, but given I'm
having to wade in and make loads of changes to any code you give me
to make it work at all, I'm not confident you're not just getting
yourself confused, or that I haven't stomped on your bug on the way
past.

If there is still an issue, please try for a *working*, *self
contained* app, with *correct dependencies* and tests which *fail on
5.80 and pass on 5.7X*.

Cheers
t0m


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


gordon at gorste

Jun 3, 2009, 12:18 PM

Post #13 of 14 (1069 views)
Permalink
RE: ACL Error: deny_access_unless [In reply to]
> http://omni.state51.co.uk/~t0m/MyApp.tgz - there is your tarball
> back, with git history of everything I did for your perusal.

I cannot seem to download the tarball from your site. Did you give me an
internal website?

Regards

Gordon




_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


bobtfish at bobtfish

Jun 4, 2009, 1:14 AM

Post #14 of 14 (1065 views)
Permalink
Re: ACL Error: deny_access_unless [In reply to]
On 3 Jun 2009, at 20:18, Gordon Stewart wrote:

>> http://omni.state51.co.uk/~t0m/MyApp.tgz - there is your tarball
>> back, with git history of everything I did for your perusal.
>
> I cannot seem to download the tarball from your site. Did you give
> me an
> internal website?
>

No, that's my workstation.

And I managed to break the apache on it last night.

Sorry about that, fixed now!

Cheers
t0m


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Catalyst users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.