0

I'm working in a project that uses Catalyst and DBIx::Class.

I have a requirement where, under a certain condition, users should not be able to read or set a specific field in a table (e.g. the last_name field in a list of users that will be presented and may be edited by the user).

Instead of applying the conditional logic to each part of the project where that table field is read or set, risking old or new cases where the logic is missed, is it possible to implement the logic directly in the DBIx::Class based module, to never return or change the value of that field when the condition is met?

I've been trying to find the answer, and I'm still reading, but I'm somewhat new to DBIx::Class and its documentation. Any help would be highly appreciated. Thank you!

Francisco Zarabozo
  • 3,676
  • 2
  • 28
  • 54
  • I'm not a big DBIC user myself, but your question immediately made me suspect that you want to override the auto-generated accessor methods, and searching for that led me to the question at https://stackoverflow.com/questions/33634610/dbixclass-and-overloading-accessors Does that address your problem? – Dave Sherohman Jun 24 '20 at 10:48
  • I think it does, or at leat it's getting me much closer to the solution. Thank you so much @DaveSherohman! – Francisco Zarabozo Jun 24 '20 at 11:32

1 Answers1

0

I‘d use an around Moose method modifier on the column accessor generated by DBIC. This won‘t be a real security solution as you can still access data without the Result class, for example when using HashRefInflator. Same for calling get_column. Real security would be at the database level with column level security and not allowing the database user used by the application to fetch that field. Another solution I can think of is an additional Result class for that table that doesn‘t include the column, maybe even defaulting to it and only use the one including the column when the user has a special role.

Alexander Hartmaier
  • 2,178
  • 12
  • 21
  • Yes, I need to be able to get/set the column for some people, and mask it as an empty value that also silently ignore any attempt to change it for other users. I also want all the current controllers using that result set to continue working as they are now, so I cannot do this at database level. The controller needs to decide this based on which user is logged in. – Francisco Zarabozo Jun 24 '20 at 15:48
  • If you‘re talking about a Catalyst controller then there is nothing stopping you from using different database connections or models depending on the user. – Alexander Hartmaier Jun 24 '20 at 19:13