Re: [web-devel] [Yesod] Abstracting permissions with Yesod

On Fri, Feb 3, 2012 at 04:17, Felipe Almeida Lessa wrote:

On Thu, Feb 2, 2012 at 6:37 PM, Bryan Richter wrote: If I'm correctly understanding your concerns (and please correct me if I'm wrong), your qualm is only with the name "Permission" which you think that should be "Credential".  When you say that many actions may be satisfied by the same crendential, you're absolutely right.  On my project we have 6 times more routes than permissions ;-).  So perhaps I'm already doing what you're proposing but using another name?  Alas, you could say "permission to modify box" =).

Yep, that's pretty much it. And given how much longer you've used your system than I have, I'm prepared to be okay with just using 'Permission'. :) Just for reference, though I fear this horse might be quite dead, here is the motivating scenario that led me to 'Credential'. Names have been changed to protect the innocent. In my app are two model objects, Persona and Group. Person represents a user's on-site persona (so a user can log in but still not be fully registered), and each Group has a private, shared, facebook-style wall. There are three relevant routes: NewPersonaR, (GroupR gid), and DefaultGroupR. On the first, a user can set up their persona (including joining groups), the second has a Group's wall, and the third is a convenience route that redirects to the first Group a user is a member of. The authorization rules are: (1.) To access (GroupR gid), one must be a member of said group. (2.) Accessing DefaultGroupR will redirect to NewPersonaR if the user has no group memberships. (Users aren't group members, only Personas are.) (3.) A user must be logged in to access NewPersonaR. so: permissionsRequiredFor r _ = case r of NewPersonaR -> ModifyPersona -- rather opaque DefaultGroupR -> ? -- "HaveAGroup"? "LookAtSomeGroup"? (GroupR gid) -> ? -- "InGroup"? "RWAccessGroup?" I couldn't think of good names for the last two. However, this was pretty easy to come up with, and strikes me as much more natural: credentialsRequiredFor NewPersonR _ = LoggedIn credentialsRequiredFor DefaultGroupR _ = InSomeGroup credentialsRequiredFor (GroupR gid) _ = InGroup gid Can you maybe suggest better names for Permissions I could use in this scenario? Thanks again for sparking this discussion.