[web-devel] Fwd: Yesod. Routes. Resources. Authorization. ACL

Michael Snoyman michael at snoyman.com
Tue Jul 19 14:20:56 CEST 2011


It's provided for convenience, but not exactly the convenience you're
alluding to. The bool parameter isn't hard-coded into Yesod, it is
determined by the isWriteRequest method. This makes it very convenient
for defining read and write permissions. If you have a good RESTful
design, then the default implementation of isWriteRequest will likely
be correct for you. However, there are times when you'd want to
specify something else. For example, you might have a page that
requires a file parameter, and therefore is a POST request, but is
actually read-only. For such situations, you can easily override.

So the convenience of that bool parameter is that (1) it's usually the
easiest way to distinguish GET from POST and (2) when you have a more
complicated setup, you can still keep your isAuthorized function nice
and declarative.

All that said, I have no objections to looking into a new API. And now
is the time to discuss it; Greg and I have been putting in a lot of
code in the past week towards the 0.9 release.

Michael

On Tue, Jul 19, 2011 at 2:11 PM, Anakreon Mentis
<anakreonmejdi at gmail.com> wrote:
> I understand that it is provided for convenience. In case the authors
> of yesod are considering changes in the function's interface, it would
> be more convenient to write
> isAuthorized HomeR POST = Unauthorized
>
> Admitably is just a little more convenient and perhaps is not worth
> the hassle to check if anyone is using the Bool parameter of
> isAuthorized and possibly make a non backward compatible change.
>
> On Tue, Jul 19, 2011 at 6:31 AM, Max Cantor <mxcantor at gmail.com> wrote:
>> forgot to reply to all
>>
>> Begin forwarded message:
>>
>>> From: Max Cantor <mxcantor at gmail.com>
>>> Date: July 19, 2011 10:45:54 AM GMT+08:00
>>> To: Anakreon Mentis <anakreonmejdi at gmail.com>
>>> Subject: Re: [web-devel] Yesod. Routes. Resources. Authorization. ACL
>>>
>>> Since isAuthorized runs in the Handler monad you can pull out the request method from the request.  I think the second parameter is just intended as a bit of a timesaver.
>>>
>>> max
>>>
>>> On Jul 19, 2011, at 5:46 AM, Anakreon Mentis wrote:
>>>
>>>> Regarding the isAuthorized function discussed at
>>>> http://www.haskell.org/pipermail/web-devel/2011/000855.html, I believe
>>>> it would be better if the second parameter was the method (GET, POST,
>>>> ..) instead of a boolean indicating if it is POST or DELETE.
>>>>
>>>> _______________________________________________
>>>> web-devel mailing list
>>>> web-devel at haskell.org
>>>> http://www.haskell.org/mailman/listinfo/web-devel
>>>
>>
>>
>> _______________________________________________
>> web-devel mailing list
>> web-devel at haskell.org
>> http://www.haskell.org/mailman/listinfo/web-devel
>>
>
> _______________________________________________
> web-devel mailing list
> web-devel at haskell.org
> http://www.haskell.org/mailman/listinfo/web-devel
>



More information about the web-devel mailing list