[catagits/Catalyst-Manual.git] / lib / Catalyst / Manual / Tutorial / Authorization.pod

=head1 NAME

Catalyst::Manual::Tutorial::Authorization - Catalyst Tutorial - Part 6: Authorization


=head1 OVERVIEW

This is B<Part 6 of 10> for the Catalyst tutorial.

L<Tutorial Overview|Catalyst::Manual::Tutorial>

=over 4

=item 1

L<Introduction|Catalyst::Manual::Tutorial::Intro>

=item 2

L<Catalyst Basics|Catalyst::Manual::Tutorial::CatalystBasics>

=item 3

L<More Catalyst Basics|Catalyst::Manual::Tutorial::MoreCatalystBasics>

=item 4

L<Basic CRUD|Catalyst::Manual::Tutorial::BasicCRUD>

=item 5

L<Authentication|Catalyst::Manual::Tutorial::Authentication>

=item 6

B<Authorization>

=item 7

L<Debugging|Catalyst::Manual::Tutorial::Debugging>

=item 8

L<Testing|Catalyst::Manual::Tutorial::Testing>

=item 9

L<Advanced CRUD|Catalyst::Manual::Tutorial::AdvancedCRUD>

=item 10

L<Appendices|Catalyst::Manual::Tutorial::Appendices>

=back


=head1 DESCRIPTION

This part of the tutorial adds role-based authorization to the existing
authentication implemented in Part 5.  It provides simple examples of
how to use roles in both TT templates and controller actions.  The first
half looks at manually configured authorization.  The second half looks
at how the ACL authorization plugin can simplify your code.

You can checkout the source code for this example from the catalyst
subversion repository as per the instructions in
L<Catalyst::Manual::Tutorial::Intro>

=head1 BASIC AUTHORIZATION

In this section you learn how to manually configure authorization.

=head2 Update Plugins to Include Support for Authorization

Edit C<lib/MyApp.pm> and add C<Authorization::Roles> to the list:

    use Catalyst qw/
            -Debug
            ConfigLoader
            Static::Simple

            StackTrace

            Authentication
            Authorization::Roles

            Session
            Session::Store::FastMmap
            Session::State::Cookie
            /;


=head2 Add Config Information for Authorization

Edit C<myapp.conf> and update it to match the following (the
C<role_relation> and C<role_field> definitions are new):

    name MyApp
    <authentication>
        default_realm dbic
        <realms>
            <dbic>
                <credential>
                    # Note this first definition would be the same as setting
                    # __PACKAGE__->config->{authentication}->{realms}->{dbic}
                    #     ->{credential} = 'Password' in lib/MyApp.pm
                    #
                    # Specify that we are going to do password-based auth
                    class Password
                    # This is the name of the field in the users table with the
                    # password stored in it
                    password_field password
                    # Switch to more secure hashed passwords
                    password_type  hashed
                    # Use the SHA-1 hashing algorithm
                    password_hash_type SHA-1
                </credential>
                <store>
                    # Use DBIC to retrieve username, password & role information
                    class DBIx::Class
                    # This is the model object created by Catalyst::Model::DBIC
                    # from your schema (you created 'MyApp::Schema::User' but as
                    # the Catalyst startup debug messages show, it was loaded as
                    # 'MyApp::Model::DB::Users').
                    # NOTE: Omit 'MyApp::Model' here just as you would when using
                    # '$c->model("DB::Users)'
                    user_class DB::Users
                    # This is the name of the field in your 'users' table that
                    # contains the user's name
                    id_field username
                    # This is the name of a many_to_many relation in the users
                    # object that points to the roles for that user
                    role_relation  roles
                    # This is the name of field in the roles table that contains
                    # the role information
                    role_field role
                </store>
            </dbic>
        </realms>
    </authentication>


=head2 Add Role-Specific Logic to the "Book List" Template

Open C<root/src/books/list.tt2> in your editor and add the following
lines to the bottom of the file:

    <p>Hello [% Catalyst.user.username %], you have the following roles:</p>

    <ul>
      [% # Dump list of roles -%]
      [% FOR role = Catalyst.user.roles %]<li>[% role %]</li>[% END %]
    </ul>

    <p>
    [% # Add some simple role-specific logic to template %]
    [% # Use $c->check_user_roles() to check authz -%]
    [% IF Catalyst.check_user_roles('user') %]
      [% # Give normal users a link for 'logout' %]
      <a href="[% Catalyst.uri_for('/logout') %]">Logout</a>
    [% END %]

    [% # Can also use $c->user->check_roles() to check authz -%]
    [% IF Catalyst.check_user_roles('admin') %]
      [% # Give admin users a link for 'create' %]
      <a href="[% Catalyst.uri_for('form_create') %]">Create</a>
    [% END %]
    </p>

This code displays a different combination of links depending on the
roles assigned to the user.

=head2 Limit C<Books::add> to C<admin> Users

C<IF> statements in TT templates simply control the output that is sent
to the user's browser; it provides no real enforcement (if users know or
guess the appropriate URLs, they are still perfectly free to hit any
action within your application).  We need to enhance the controller
logic to wrap restricted actions with role-validation logic.

For example, we might want to restrict the "formless create" action to
admin-level users by editing C<lib/MyApp/Controller/Books.pm> and
updating C<url_create> to match the following code:

    =head2 url_create

    Create a book with the supplied title and rating,
    with manual authorization

    =cut

    sub url_create : Local {
        # In addition to self & context, get the title, rating & author_id args
        # from the URL.  Note that Catalyst automatically puts extra information
        # after the "/<controller_name>/<action_name/" into @_
        my ($self, $c, $title, $rating, $author_id) = @_;

        # Check the user's roles
        if ($c->check_user_roles('admin')) {
            # Call create() on the book model object. Pass the table
            # columns/field values we want to set as hash values
            my $book = $c->model('DB::Books')->create({
                    title   => $title,
                    rating  => $rating
                });

            # Add a record to the join table for this book, mapping to
            # appropriate author
            $book->add_to_book_authors({author_id => $author_id});
            # Note: Above is a shortcut for this:
            # $book->create_related('book_authors', {author_id => $author_id});

            # Assign the Book object to the stash for display in the view
            $c->stash->{book} = $book;

            # This is a hack to disable XSUB processing in Data::Dumper
            # (it's used in the view).  This is a work-around for a bug in
            # the interaction of some versions or Perl, Data::Dumper & DBIC.
            # You won't need this if you aren't using Data::Dumper (or if
            # you are running DBIC 0.06001 or greater), but adding it doesn't
            # hurt anything either.
            $Data::Dumper::Useperl = 1;

            # Set the TT template to use
            $c->stash->{template} = 'books/create_done.tt2';
        } else {
            # Provide very simple feedback to the user
            $c->response->body('Unauthorized!');
        }
    }


To add authorization, we simply wrap the main code of this method in an
C<if> statement that calls C<check_user_roles>.  If the user does not
have the appropriate permissions, they receive an "Unauthorized!"
message.  Note that we intentionally chose to display the message this
way to demonstrate that TT templates will not be used if the response
body has already been set.  In reality you would probably want to use a
technique that maintains the visual continuity of your template layout
(for example, using the "status" or "error" message feature added in
Part 3).

B<TIP>: If you want to keep your existing C<url_create> method, you can
create a new copy and comment out the original by making it look like a
Pod comment.  For example, put something like C<=begin> before C<sub add
: Local {> and C<=end> after the closing C<}>.

=head2 Try Out Authentication And Authorization

Press C<Ctrl-C> to kill the previous server instance (if it's still
running) and restart it:

    $ script/myapp_server.pl

Now trying going to L<http://localhost:3000/books/list> and you should
be taken to the login page (you might have to C<Shift+Reload> your
browser and/or click the "Logout" link on the book list page).  Try
logging in with both C<test01> and C<test02> (both use a password
of C<mypass>) and notice how the roles information updates at the
bottom of the "Book List" page. Also try the C<Logout> link on the
book list page.

Now the "url_create" URL will work if you are already logged in as user
C<test01>, but receive an authorization failure if you are logged in as
C<test02>.  Try:

    http://localhost:3000/books/url_create/test/1/6

while logged in as each user.  Use one of the 'Logout' links (or go to
L<http://localhost:3000/logout> in your browser directly) when you are
done.


=head1 ENABLE ACL-BASED AUTHORIZATION

This section takes a brief look at how the
L<Catalyst::Plugin::Authorization::ACL|Catalyst::Plugin::Authorization::ACL>
plugin can automate much of the work required to perform role-based
authorization in a Catalyst application.

=head2 Add the C<Catalyst::Plugin::Authorization::ACL> Plugin

Open C<lib/MyApp.pm> in your editor and add the following plugin to the
C<use Catalyst> statement:

    Authorization::ACL

Note that the remaining C<use Catalyst> plugins from earlier sections
are not shown here, but they should still be included.

=head2 Add ACL Rules to the Application Class

Open C<lib/MyApp.pm> in your editor and add the following B<BELOW> the
C<__PACKAGE__-E<gt>setup;> statement:

    # Authorization::ACL Rules
    __PACKAGE__->deny_access_unless(
            "/books/form_create",
            [qw/admin/],
        );
    __PACKAGE__->deny_access_unless(
            "/books/form_create_do",
            [qw/admin/],
        );
    __PACKAGE__->deny_access_unless(
            "/books/delete",
            [qw/user admin/],
        );

Each of the three statements above comprises an ACL plugin "rule".  The
first two rules only allow admin-level users to create new books using
the form (both the form itself and the data submission logic are
protected).  The third statement allows both users and admins to delete
books.  The C</books/url_create> action will continue to be protected by
the "manually configured" authorization created earlier in this part of
the tutorial.

The ACL plugin permits you to apply allow/deny logic in a variety of
ways.  The following provides a basic overview of the capabilities:

=over 4

=item *

The ACL plugin only operates on the Catalyst "private namespace".  You
are using the private namespace when you use C<Local> actions.  C<Path>,
C<Regex>, and C<Global> allow you to specify actions where the path and
the namespace differ -- the ACL plugin will not work in these cases.

=item *

Each rule is expressed in a separate
C<__PACKAGE__-E<gt>deny_access_unless()> or
C<__PACKAGE__-E<gt>allow_access_if()> line (there are several other
methods that can be used for more complex policies, see the C<METHODS>
portion of the
L<Catalyst::Plugin::Authorization::ACL|Catalyst::Plugin::Authorization::ACL>
documentation for more details).

=item *

Each rule can contain multiple roles but only a single path.

=item *

The rules are tried in order (with the "most specific" rules tested
first), and processing stops at the first "match" where an allow or deny
is specified.  Rules "fall through" if there is not a "match" (where a
"match" means the user has the specified role).  If a "match" is found,
then processing stops there and the appropriate allow/deny action is
taken.

=item *

If none of the rules match, then access is allowed.

=item *

The rules currently need to be specified in the application class
C<lib\MyApp.pm> B<after> the C<__PACKAGE__-E<gt>setup;> line.

=back

=head2 Add a Method to Handle Access Violations

By default,
L<Catalyst::Plugin::Authorization::ACL|Catalyst::Plugin::Authorization::ACL>
throws an exception when authorization fails.  This will take the user
to the Catalyst debug screen, or a "Please come back later" message if
you are not using the C<-Debug> flag. This step uses the
C<access_denied> method in order to provide more appropriate feedback to
the user.

Open C<lib/MyApp/Controller/Books.pm> in your editor and add the
following method:

    =head2 access_denied

    Handle Catalyst::Plugin::Authorization::ACL access denied exceptions

    =cut

    sub access_denied : Private {
        my ($self, $c) = @_;

        # Set the error message
        $c->stash->{error_msg} = 'Unauthorized!';

        # Display the list
        $c->forward('list');
    }

Then run the Catalyst development server script:

    $ script/myapp_server.pl

Log in as C<test02>.  Once at the book list, click the "Create" link
to try the C<form_create> action.  You should receive a red
"Unauthorized!"  error message at the top of the list.  (Note that in
the example code the "Create" link code in C<root/src/books/list.tt2>
is inside an C<IF> statement that only displays the list to
admin-level users.)  If you log in as C<test01> you should be able to
view the C<form_create> form and add a new book.

When you are done, use one of the 'Logout' links (or go to the
L<http://localhost:3000/logout> URL directly) when you are done.


=head1 AUTHOR

Kennedy Clark, C<hkclark@gmail.com>

Please report any errors, issues or suggestions to the author.  The
most recent version of the Catalyst Tutorial can be found at
L<http://dev.catalyst.perl.org/repos/Catalyst/trunk/Catalyst-Manual/lib/Catalyst/Manual/Tutorial/>.

Copyright 2006-2008, Kennedy Clark, under Creative Commons License
(L<http://creativecommons.org/licenses/by-nc-sa/2.5/>).
Commit	Line	Data
d442cc9f	1	=head1 NAME
d442cc9f	2
3533daff	3	Catalyst::Manual::Tutorial::Authorization - Catalyst Tutorial - Part 6: Authorization
d442cc9f	4
	5
	6	=head1 OVERVIEW
	7
3533daff	8	This is B<Part 6 of 10> for the Catalyst tutorial.
d442cc9f	9
	10	L<Tutorial Overview\|Catalyst::Manual::Tutorial>
	11
	12	=over 4
	13
	14	=item 1
	15
	16	L<Introduction\|Catalyst::Manual::Tutorial::Intro>
	17
	18	=item 2
	19
	20	L<Catalyst Basics\|Catalyst::Manual::Tutorial::CatalystBasics>
	21
	22	=item 3
	23
3533daff	24	L<More Catalyst Basics\|Catalyst::Manual::Tutorial::MoreCatalystBasics>
d442cc9f	25
	26	=item 4
	27
3533daff	28	L<Basic CRUD\|Catalyst::Manual::Tutorial::BasicCRUD>
d442cc9f	29
	30	=item 5
	31
3533daff	32	L<Authentication\|Catalyst::Manual::Tutorial::Authentication>
d442cc9f	33
	34	=item 6
	35
3533daff	36	B<Authorization>
d442cc9f	37
	38	=item 7
	39
3533daff	40	L<Debugging\|Catalyst::Manual::Tutorial::Debugging>
d442cc9f	41
	42	=item 8
	43
3533daff	44	L<Testing\|Catalyst::Manual::Tutorial::Testing>
d442cc9f	45
	46	=item 9
	47
3533daff	48	L<Advanced CRUD\|Catalyst::Manual::Tutorial::AdvancedCRUD>
	49
	50	=item 10
	51
d442cc9f	52	L<Appendices\|Catalyst::Manual::Tutorial::Appendices>
	53
	54	=back
	55
	56
d442cc9f	57	=head1 DESCRIPTION
	58
	59	This part of the tutorial adds role-based authorization to the existing
9ad715b3	60	authentication implemented in Part 5. It provides simple examples of
d442cc9f	61	how to use roles in both TT templates and controller actions. The first
	62	half looks at manually configured authorization. The second half looks
	63	at how the ACL authorization plugin can simplify your code.
	64
	65	You can checkout the source code for this example from the catalyst
	66	subversion repository as per the instructions in
	67	L<Catalyst::Manual::Tutorial::Intro>
	68
	69	=head1 BASIC AUTHORIZATION
	70
	71	In this section you learn how to manually configure authorization.
	72
	73	=head2 Update Plugins to Include Support for Authorization
	74
	75	Edit C<lib/MyApp.pm> and add C<Authorization::Roles> to the list:
	76
	77	use Catalyst qw/
	78	-Debug
	79	ConfigLoader
	80	Static::Simple
905a3a26	81
d442cc9f	82	StackTrace
905a3a26	83
d442cc9f	84	Authentication
d442cc9f	85	Authorization::Roles
905a3a26	86
d442cc9f	87	Session
	88	Session::Store::FastMmap
	89	Session::State::Cookie
	90	/;
	91
	92
	93	=head2 Add Config Information for Authorization
	94
905a3a26	95	Edit C<myapp.conf> and update it to match the following (the
3533daff	96	C<role_relation> and C<role_field> definitions are new):
d442cc9f	97
c010ae0d	98	name MyApp
	99	<authentication>
	100	default_realm dbic
	101	<realms>
	102	<dbic>
	103	<credential>
3533daff	104	# Note this first definition would be the same as setting
3533daff	105	# __PACKAGE__->config->{authentication}->{realms}->{dbic}
905a3a26	106	# ->{credential} = 'Password' in lib/MyApp.pm
3533daff	107	#
3533daff	108	# Specify that we are going to do password-based auth
c010ae0d	109	class Password
3533daff	110	# This is the name of the field in the users table with the
3533daff	111	# password stored in it
c010ae0d	112	password_field password
d0496197	113	# Switch to more secure hashed passwords
	114	password_type hashed
	115	# Use the SHA-1 hashing algorithm
	116	password_hash_type SHA-1
	117	</credential>
c010ae0d	118	<store>
3533daff	119	# Use DBIC to retrieve username, password & role information
c010ae0d	120	class DBIx::Class
905a3a26	121	# This is the model object created by Catalyst::Model::DBIC
d0496197	122	# from your schema (you created 'MyApp::Schema::User' but as
905a3a26	123	# the Catalyst startup debug messages show, it was loaded as
d0496197	124	# 'MyApp::Model::DB::Users').
905a3a26	125	# NOTE: Omit 'MyApp::Model' here just as you would when using
d0496197	126	# '$c->model("DB::Users)'
d0496197	127	user_class DB::Users
905a3a26	128	# This is the name of the field in your 'users' table that
3533daff	129	# contains the user's name
c010ae0d	130	id_field username
3533daff	131	# This is the name of a many_to_many relation in the users
3533daff	132	# object that points to the roles for that user
c010ae0d	133	role_relation roles
3533daff	134	# This is the name of field in the roles table that contains
3533daff	135	# the role information
c010ae0d	136	role_field role
d0496197	137	</store>
	138	</dbic>
	139	</realms>
	140	</authentication>
d442cc9f	141
	142
	143	=head2 Add Role-Specific Logic to the "Book List" Template
	144
	145	Open C<root/src/books/list.tt2> in your editor and add the following
	146	lines to the bottom of the file:
	147
	148	<p>Hello [% Catalyst.user.username %], you have the following roles:</p>
905a3a26	149
d442cc9f	150	<ul>
	151	[% # Dump list of roles -%]
	152	[% FOR role = Catalyst.user.roles %]<li>[% role %]</li>[% END %]
	153	</ul>
905a3a26	154
d442cc9f	155	<p>
	156	[% # Add some simple role-specific logic to template %]
	157	[% # Use $c->check_user_roles() to check authz -%]
	158	[% IF Catalyst.check_user_roles('user') %]
	159	[% # Give normal users a link for 'logout' %]
	160	<a href="[% Catalyst.uri_for('/logout') %]">Logout</a>
	161	[% END %]
905a3a26	162
d442cc9f	163	[% # Can also use $c->user->check_roles() to check authz -%]
	164	[% IF Catalyst.check_user_roles('admin') %]
	165	[% # Give admin users a link for 'create' %]
	166	<a href="[% Catalyst.uri_for('form_create') %]">Create</a>
	167	[% END %]
	168	</p>
	169
	170	This code displays a different combination of links depending on the
	171	roles assigned to the user.
	172
	173	=head2 Limit C<Books::add> to C<admin> Users
	174
	175	C<IF> statements in TT templates simply control the output that is sent
	176	to the user's browser; it provides no real enforcement (if users know or
	177	guess the appropriate URLs, they are still perfectly free to hit any
	178	action within your application). We need to enhance the controller
	179	logic to wrap restricted actions with role-validation logic.
	180
	181	For example, we might want to restrict the "formless create" action to
	182	admin-level users by editing C<lib/MyApp/Controller/Books.pm> and
	183	updating C<url_create> to match the following code:
	184
	185	=head2 url_create
	186
	187	Create a book with the supplied title and rating,
	188	with manual authorization
905a3a26	189
d442cc9f	190	=cut
905a3a26	191
d442cc9f	192	sub url_create : Local {
	193	# In addition to self & context, get the title, rating & author_id args
	194	# from the URL. Note that Catalyst automatically puts extra information
	195	# after the "/<controller_name>/<action_name/" into @_
	196	my ($self, $c, $title, $rating, $author_id) = @_;
905a3a26	197
d442cc9f	198	# Check the user's roles
d442cc9f	199	if ($c->check_user_roles('admin')) {
905a3a26	200	# Call create() on the book model object. Pass the table
d442cc9f	201	# columns/field values we want to set as hash values
d0496197	202	my $book = $c->model('DB::Books')->create({
d442cc9f	203	title => $title,
	204	rating => $rating
	205	});
905a3a26	206
905a3a26	207	# Add a record to the join table for this book, mapping to
d442cc9f	208	# appropriate author
	209	$book->add_to_book_authors({author_id => $author_id});
	210	# Note: Above is a shortcut for this:
	211	# $book->create_related('book_authors', {author_id => $author_id});
905a3a26	212
d442cc9f	213	# Assign the Book object to the stash for display in the view
d442cc9f	214	$c->stash->{book} = $book;
905a3a26	215
d442cc9f	216	# This is a hack to disable XSUB processing in Data::Dumper
	217	# (it's used in the view). This is a work-around for a bug in
	218	# the interaction of some versions or Perl, Data::Dumper & DBIC.
	219	# You won't need this if you aren't using Data::Dumper (or if
905a3a26	220	# you are running DBIC 0.06001 or greater), but adding it doesn't
d442cc9f	221	# hurt anything either.
d442cc9f	222	$Data::Dumper::Useperl = 1;
905a3a26	223
d442cc9f	224	# Set the TT template to use
	225	$c->stash->{template} = 'books/create_done.tt2';
	226	} else {
	227	# Provide very simple feedback to the user
	228	$c->response->body('Unauthorized!');
	229	}
	230	}
	231
	232
	233	To add authorization, we simply wrap the main code of this method in an
	234	C<if> statement that calls C<check_user_roles>. If the user does not
	235	have the appropriate permissions, they receive an "Unauthorized!"
	236	message. Note that we intentionally chose to display the message this
	237	way to demonstrate that TT templates will not be used if the response
	238	body has already been set. In reality you would probably want to use a
	239	technique that maintains the visual continuity of your template layout
	240	(for example, using the "status" or "error" message feature added in
9ad715b3	241	Part 3).
d442cc9f	242
	243	B<TIP>: If you want to keep your existing C<url_create> method, you can
	244	create a new copy and comment out the original by making it look like a
	245	Pod comment. For example, put something like C<=begin> before C<sub add
	246	: Local {> and C<=end> after the closing C<}>.
	247
	248	=head2 Try Out Authentication And Authorization
	249
	250	Press C<Ctrl-C> to kill the previous server instance (if it's still
	251	running) and restart it:
	252
	253	$ script/myapp_server.pl
	254
	255	Now trying going to L<http://localhost:3000/books/list> and you should
	256	be taken to the login page (you might have to C<Shift+Reload> your
905a3a26	257	browser and/or click the "Logout" link on the book list page). Try
	258	logging in with both C<test01> and C<test02> (both use a password
	259	of C<mypass>) and notice how the roles information updates at the
d442cc9f	260	bottom of the "Book List" page. Also try the C<Logout> link on the
	261	book list page.
	262
	263	Now the "url_create" URL will work if you are already logged in as user
	264	C<test01>, but receive an authorization failure if you are logged in as
	265	C<test02>. Try:
	266
	267	http://localhost:3000/books/url_create/test/1/6
	268
	269	while logged in as each user. Use one of the 'Logout' links (or go to
905a3a26	270	L<http://localhost:3000/logout> in your browser directly) when you are
d442cc9f	271	done.
	272
	273
	274	=head1 ENABLE ACL-BASED AUTHORIZATION
	275
	276	This section takes a brief look at how the
	277	L<Catalyst::Plugin::Authorization::ACL\|Catalyst::Plugin::Authorization::ACL>
905a3a26	278	plugin can automate much of the work required to perform role-based
d442cc9f	279	authorization in a Catalyst application.
	280
	281	=head2 Add the C<Catalyst::Plugin::Authorization::ACL> Plugin
	282
	283	Open C<lib/MyApp.pm> in your editor and add the following plugin to the
	284	C<use Catalyst> statement:
	285
	286	Authorization::ACL
	287
	288	Note that the remaining C<use Catalyst> plugins from earlier sections
	289	are not shown here, but they should still be included.
	290
	291	=head2 Add ACL Rules to the Application Class
	292
	293	Open C<lib/MyApp.pm> in your editor and add the following B<BELOW> the
	294	C<__PACKAGE__-E<gt>setup;> statement:
	295
	296	# Authorization::ACL Rules
	297	__PACKAGE__->deny_access_unless(
	298	"/books/form_create",
	299	[qw/admin/],
	300	);
	301	__PACKAGE__->deny_access_unless(
	302	"/books/form_create_do",
	303	[qw/admin/],
	304	);
	305	__PACKAGE__->deny_access_unless(
	306	"/books/delete",
	307	[qw/user admin/],
	308	);
	309
	310	Each of the three statements above comprises an ACL plugin "rule". The
	311	first two rules only allow admin-level users to create new books using
	312	the form (both the form itself and the data submission logic are
	313	protected). The third statement allows both users and admins to delete
	314	books. The C</books/url_create> action will continue to be protected by
	315	the "manually configured" authorization created earlier in this part of
	316	the tutorial.
	317
	318	The ACL plugin permits you to apply allow/deny logic in a variety of
	319	ways. The following provides a basic overview of the capabilities:
	320
	321	=over 4
	322
905a3a26	323	=item *
d442cc9f	324
	325	The ACL plugin only operates on the Catalyst "private namespace". You
	326	are using the private namespace when you use C<Local> actions. C<Path>,
	327	C<Regex>, and C<Global> allow you to specify actions where the path and
	328	the namespace differ -- the ACL plugin will not work in these cases.
	329
905a3a26	330	=item *
d442cc9f	331
	332	Each rule is expressed in a separate
	333	C<__PACKAGE__-E<gt>deny_access_unless()> or
	334	C<__PACKAGE__-E<gt>allow_access_if()> line (there are several other
	335	methods that can be used for more complex policies, see the C<METHODS>
	336	portion of the
	337	L<Catalyst::Plugin::Authorization::ACL\|Catalyst::Plugin::Authorization::ACL>
	338	documentation for more details).
	339
905a3a26	340	=item *
d442cc9f	341
	342	Each rule can contain multiple roles but only a single path.
	343
905a3a26	344	=item *
d442cc9f	345
	346	The rules are tried in order (with the "most specific" rules tested
	347	first), and processing stops at the first "match" where an allow or deny
	348	is specified. Rules "fall through" if there is not a "match" (where a
	349	"match" means the user has the specified role). If a "match" is found,
	350	then processing stops there and the appropriate allow/deny action is
	351	taken.
	352
905a3a26	353	=item *
d442cc9f	354
	355	If none of the rules match, then access is allowed.
	356
905a3a26	357	=item *
d442cc9f	358
905a3a26	359	The rules currently need to be specified in the application class
d442cc9f	360	C<lib\MyApp.pm> B<after> the C<__PACKAGE__-E<gt>setup;> line.
	361
	362	=back
	363
	364	=head2 Add a Method to Handle Access Violations
	365
	366	By default,
	367	L<Catalyst::Plugin::Authorization::ACL\|Catalyst::Plugin::Authorization::ACL>
	368	throws an exception when authorization fails. This will take the user
	369	to the Catalyst debug screen, or a "Please come back later" message if
	370	you are not using the C<-Debug> flag. This step uses the
	371	C<access_denied> method in order to provide more appropriate feedback to
	372	the user.
	373
	374	Open C<lib/MyApp/Controller/Books.pm> in your editor and add the
	375	following method:
	376
	377	=head2 access_denied
905a3a26	378
d442cc9f	379	Handle Catalyst::Plugin::Authorization::ACL access denied exceptions
905a3a26	380
d442cc9f	381	=cut
905a3a26	382
d442cc9f	383	sub access_denied : Private {
d442cc9f	384	my ($self, $c) = @_;
905a3a26	385
d442cc9f	386	# Set the error message
d442cc9f	387	$c->stash->{error_msg} = 'Unauthorized!';
905a3a26	388
d442cc9f	389	# Display the list
	390	$c->forward('list');
	391	}
	392
905a3a26	393	Then run the Catalyst development server script:
d442cc9f	394
	395	$ script/myapp_server.pl
	396
3778bcbe	397	Log in as C<test02>. Once at the book list, click the "Create" link
	398	to try the C<form_create> action. You should receive a red
	399	"Unauthorized!" error message at the top of the list. (Note that in
	400	the example code the "Create" link code in C<root/src/books/list.tt2>
	401	is inside an C<IF> statement that only displays the list to
	402	admin-level users.) If you log in as C<test01> you should be able to
	403	view the C<form_create> form and add a new book.
d442cc9f	404
	405	When you are done, use one of the 'Logout' links (or go to the
	406	L<http://localhost:3000/logout> URL directly) when you are done.
	407
	408
	409	=head1 AUTHOR
	410
	411	Kennedy Clark, C<hkclark@gmail.com>
	412
	413	Please report any errors, issues or suggestions to the author. The
	414	most recent version of the Catalyst Tutorial can be found at
d712b826	415	L<http://dev.catalyst.perl.org/repos/Catalyst/trunk/Catalyst-Manual/lib/Catalyst/Manual/Tutorial/>.
d442cc9f	416
45c7830f	417	Copyright 2006-2008, Kennedy Clark, under Creative Commons License
d442cc9f	418	(L<http://creativecommons.org/licenses/by-nc-sa/2.5/>).
d442cc9f	419