/ 
Mojolicious-Plugin-SimpleAuthorization-0.02
River stage zero No dependents
⭐ Starred 0 GitHub stars
/ README.md

Mojolicious::Plugin::SimpleAuthorization Build Status

Simple role-based authorization for the Mojolicious web framework

  # Mojolicious example
  package SimpleApp;
  use Mojo::Base 'Mojolicious';

  sub startup {
    my $self = shift;

    $self->plugin(
      'SimpleAuthorization' => {
        'on_assert_failure' => sub {    # assert failure hook
          my ($self, $tests) = @_;

          $self->render(text => 'Permission denied.');
        },
      }
    );

    # Add route not requiring authentication/authorization
    my $r = $self->routes;
    $r->get('/')->to(cb => sub { shift->render(text => "I am public. Hi.") });

    # Add authentication under (which populates stash with the user/roles)
    #
    # In your under, set the user and user's roles C<HASHREF> every request.
    # The user can contain any arbitrary data. Roles should contain key/value
    # pairs, where allocated roles evaluate to true.
    my $auth = $r->under->to(
      cb => sub {
        my $self = shift;

        #if ($user_is_authenticated) {
          $self->stash(roles => {'user.delete' => 0, 'user.search' => 1});
          $self->stash(user => {username => 'paul', administrator => 0});
        #}
      }
    );

    # Search user controller - success!
    $auth->get('/user/search')->to(
      cb => sub {
        my $self = shift;
        return unless $self->assert_user_roles([qw/user.search/]);

        $self->render(text => "Success! Let's do some searching!");
      }
    );

    # Delete user controller - oh noes! (Will execute C<on_assert_failure>.)
    $auth->get('/user/delete')->to(
      cb => sub {
        my $self = shift;
        return unless $self->assert_user_roles([qw/user.delete/]);

        $self->render(text => "Damn! Not authorized so won't see this!");
      }
    );
  }

  1;

Mojolicious::Plugin::SimpleAuthorization is a simple role-based authorization plugin for Mojolicious.

It attempts to keep a sane control flow by not croaking or dying if the user does not have the relevant roles/permissions. As such, check_user_roles or assert_user_roles should be called at the beginning of your controllers.

Mojolicious::Plugin::SimpleAuthorization does offer the hook on_assert_failure if you want to render a permission denied response or similar for every request that isn't authorized. (Or if you would prefer to croak/die.)