[web-devel] [Yesod] Abstracting permissions with Yesod

Bryan Richter bryan.richter at gmail.com
Fri Feb 3 18:11:42 CET 2012

On Fri, Feb 3, 2012 at 04:17, Felipe Almeida Lessa
<felipe.lessa at gmail.com> wrote:
> On Thu, Feb 2, 2012 at 6:37 PM, Bryan Richter <bryan.richter at gmail.com> wrote:
> If I'm correctly understanding your concerns (and please correct me if
> I'm wrong), your qualm is only with the name "Permission" which you
> think that should be "Credential".  When you say that many actions may
> be satisfied by the same crendential, you're absolutely right.  On my
> project we have 6 times more routes than permissions ;-).  So perhaps
> I'm already doing what you're proposing but using another name?  Alas,
> you could say "permission to modify box" =).

Yep, that's pretty much it. And given how much longer you've used your
system than I have, I'm prepared to be okay with just using
'Permission'. :)

Just for reference, though I fear this horse might be quite dead, here
is the motivating scenario that led me to 'Credential'. Names have
been changed to protect the innocent.

In my app are two model objects, Persona and Group. Person represents
a user's on-site persona (so a user can log in but still not be fully
registered), and each Group has a private, shared, facebook-style
wall. There are three relevant routes: NewPersonaR, (GroupR gid), and
DefaultGroupR. On the first, a user can set up their persona
(including joining groups), the second has a Group's wall, and the
third is a convenience route that redirects to the first Group a user
is a member of.

The authorization rules are:
 (1.) To access (GroupR gid), one must be a member of said group.
 (2.) Accessing DefaultGroupR will redirect to NewPersonaR if the user
has no group memberships. (Users aren't group members, only Personas
 (3.) A user must be logged in to access NewPersonaR.


permissionsRequiredFor r _ = case r of
    NewPersonaR   -> ModifyPersona -- rather opaque
    DefaultGroupR -> ? -- "HaveAGroup"? "LookAtSomeGroup"?
    (GroupR gid)  -> ? -- "InGroup"? "RWAccessGroup?"

I couldn't think of good names for the last two. However, this was
pretty easy to come up with, and strikes me as much more natural:

credentialsRequiredFor NewPersonR _    = LoggedIn
credentialsRequiredFor DefaultGroupR _ = InSomeGroup
credentialsRequiredFor (GroupR gid)   _  = InGroup gid

Can you maybe suggest better names for Permissions I could use in this scenario?

Thanks again for sparking this discussion.

More information about the web-devel mailing list