Mailing List Archive: Catalyst: Users

action_for with user_id removed ...

Index | Next | Previous | View Threaded

kiffin.gish at planet

Feb 1, 2010, 8:14 AM

Post #1 of 8 (1502 views)
Permalink

action_for with user_id removed ...

I have a number of user-defined actions which are described with the
user id like this:

settings/user_id/(view|edit)

Where user_id is the primary key into the users resultset. However, I do
not want this to be visible to the end-user for security reasons (if I'm
admin it's alright).

Is it possible to retain these, but for users who are logged in
the /user_id/ is removed to get this visible instead:

settings/(view|edit)

Thanks alot in advance.

--
Kiffin Gish <kiffin.gish [at] planet>
Gouda, The Netherlands

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

orasnita at gmail

Feb 1, 2010, 10:38 AM

Post #2 of 8 (1456 views)
Permalink

Re: action_for with user_id removed ... [In reply to]

From: "Kiffin Gish" <kiffin.gish [at] planet>
>I have a number of user-defined actions which are described with the
> user id like this:
>
> settings/user_id/(view|edit)
>
> Where user_id is the primary key into the users resultset. However, I do
> not want this to be visible to the end-user for security reasons (if I'm
> admin it's alright).
>
> Is it possible to retain these, but for users who are logged in
> the /user_id/ is removed to get this visible instead:
>
> settings/(view|edit)
>
> Thanks alot in advance.
>
>
> --
> Kiffin Gish <kiffin.gish [at] planet>
> Gouda, The Netherlands

If your users have an ID, they're probably logged in. If they are logged in,
you can get and use that ID in your app by getting it with:

my $user_id = $c->user->obj->id
or
my $user_id = $c->user->get('id');

(And the second way is recommended).

Octavian

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

kiffin.gish at planet

Feb 1, 2010, 12:37 PM

Post #3 of 8 (1456 views)
Permalink

Re: action_for with user_id removed ... [In reply to]

Then to make my story complete, I just snip out the part of the action
chain that extracts the id, and hook up the loose ends. Very elegant!

On Mon, 2010-02-01 at 20:38 +0200, Octavian Rasnita wrote:
> From: "Kiffin Gish" <kiffin.gish [at] planet>
> >I have a number of user-defined actions which are described with the
> > user id like this:
> >
> > settings/user_id/(view|edit)
> >
> > Where user_id is the primary key into the users resultset. However, I do
> > not want this to be visible to the end-user for security reasons (if I'm
> > admin it's alright).
> >
> > Is it possible to retain these, but for users who are logged in
> > the /user_id/ is removed to get this visible instead:
> >
> > settings/(view|edit)
> >
> > Thanks alot in advance.
> >
> >
> > --
> > Kiffin Gish <kiffin.gish [at] planet>
> > Gouda, The Netherlands
>
> If your users have an ID, they're probably logged in. If they are logged in,
> you can get and use that ID in your app by getting it with:
>
> my $user_id = $c->user->obj->id
> or
> my $user_id = $c->user->get('id');
>
> (And the second way is recommended).
>
> Octavian
>
>
> _______________________________________________
> List: Catalyst [at] lists
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
> Dev site: http://dev.catalyst.perl.org/

--
Kiffin Gish <Kiffin.Gish [at] planet>
Gouda, The Netherlands

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

pagaltzis at gmx

Feb 5, 2010, 2:33 AM

Post #4 of 8 (1351 views)
Permalink

Re: action_for with user_id removed ... [In reply to]

* Kiffin Gish <kiffin.gish [at] planet> [2010-02-01 17:20]:
> I have a number of user-defined actions which are described
> with the user id like this:
>
> settings/user_id/(view|edit)
>
> Where user_id is the primary key into the users resultset.
> However, I do not want this to be visible to the end-user for
> security reasons (if I'm admin it's alright).
>
> Is it possible to retain these, but for users who are logged in
> the /user_id/ is removed to get this visible instead:
>
> settings/(view|edit)

I find this highly suspect. It sounds like your authorisation
checks are inadequate somewhere, and you are trying to paper over
that instead of fixing it.

From an HTTP point of view it is unwise to make endpoint URIs
like that which can refer to many different resources at any one
point in time.

Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

kiffin.gish at planet

Feb 6, 2010, 2:25 AM

Post #5 of 8 (1315 views)
Permalink

Re: Re: action_for with user_id removed ... [In reply to]

On Fri, 2010-02-05 at 11:33 +0100, Aristotle Pagaltzis wrote:
> * Kiffin Gish <kiffin.gish [at] planet> [2010-02-01 17:20]:
> > I have a number of user-defined actions which are described
> > with the user id like this:
> >
> > settings/user_id/(view|edit)
> >
> > Where user_id is the primary key into the users resultset.
> > However, I do not want this to be visible to the end-user for
> > security reasons (if I'm admin it's alright).
> >
> > Is it possible to retain these, but for users who are logged in
> > the /user_id/ is removed to get this visible instead:
> >
> > settings/(view|edit)
>
> I find this highly suspect. It sounds like your authorisation
> checks are inadequate somewhere, and you are trying to paper over
> that instead of fixing it.
>
> From an HTTP point of view it is unwise to make endpoint URIs
> like that which can refer to many different resources at any one
> point in time.
>
> Regards,

I'm not so sure that I agree, though I can appreciate your point of
view.

All I'm doing in fact is using the $user->id saved in the session, there
being nothing papered over for authorization which is accomplished via
the usual login mechanism.

--
Kiffin Gish <Kiffin.Gish [at] planet>
Gouda, The Netherlands

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

moseley at hank

Feb 6, 2010, 8:35 AM

Post #6 of 8 (1298 views)
Permalink

Re: Re: action_for with user_id removed ... [In reply to]

On Sat, Feb 6, 2010 at 2:25 AM, Kiffin Gish <kiffin.gish [at] planet> wrote:

>
> >
> > From an HTTP point of view it is unwise to make endpoint URIs
> > like that which can refer to many different resources at any one
> > point in time.
>

>
> I'm not so sure that I agree, though I can appreciate your point of
> view.
>

We have debated this in our apps, too. If some set of URLs are only valid
once a user logs in then do they have an implicit domain?

Plus, it sure is handy in documentation to say:

To update your personal profile go to: http://example.com/myprofile

vs.

To update your personal profile go to: http://example.com/user/<your id
here>/profile

Because you know what the tech support calls will be like....

--
Bill Moseley
moseley [at] hank

oliver.g.charles at googlemail

Feb 6, 2010, 9:15 AM

Post #7 of 8 (1303 views)
Permalink

Re: Re: action_for with user_id removed ... [In reply to]

On Sat, Feb 6, 2010 at 4:35 PM, Bill Moseley <moseley [at] hank> wrote:
> Plus, it sure is handy in documentation to say:
> ��To update your personal profile go to: http://example.com/myprofile
> vs.
> ��To update your personal profile go to: http://example.com/user/<your id
> here>/profile

We have to points in urls for this:

* /user/<id>/<foo>
"Public" viewing of user stuff (public may mean only a restricted
set of users can view it, but it's not private)

* /account/<action>
For doing stuff that only you can do to your own account (change
password etc)

--
Oliver Charles / aCiD2

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

pagaltzis at gmx

Feb 6, 2010, 11:24 AM

Post #8 of 8 (1298 views)
Permalink

Re: action_for with user_id removed ... [In reply to]

* Kiffin Gish <kiffin.gish [at] planet> [2010-02-06 11:25]:
> I'm not so sure that I agree, though I can appreciate your
> point of view.
>
> All I'm doing in fact is using the $user->id saved in the
> session, there being nothing papered over for authorization
> which is accomplished via the usual login mechanism.

I’m talking about the fact that you don’t want users to know
their account ID. Why would it be any problem if they do know it?

* Bill Moseley <moseley [at] hank> [2010-02-06 17:35]:
> Plus, it sure is handy in documentation to say:
>
> To update your personal profile go to: http://example.com/myprofile

True.

My first inclination would be to handle that with a redirect.

* Oliver Charles <oliver.g.charles [at] googlemail> [2010-02-06 18:15]:
> We have to points in urls for this:
>
> * /user/<id>/<foo>
> "Public" viewing of user stuff (public may mean only
> a restricted set of users can view it, but it's not private)
>
> * /account/<action>
> For doing stuff that only you can do to your own account
> (change password etc)

++

I’ve found this to be a generally good idea, not only to reduce
the amount of conditional checks in server code and templates,
but also from the user’s point of view, as it makes it readily
possible to access all the different views to a resource.

Basically: URIs are cheap. Don’t be afraid to have more of them.
HTTP infrastructure suffers much more where there are too few
URIs than where there are too many.

Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads