On Thu, Mar 17, 2011 at 7:29 PM, Greg Weber wrote:

On Thu, Mar 17, 2011 at 10:07 AM, wrote:

...

I am trying to build an intranet web app that would need access control (different modules are allowed/denied to different groups of users).

I am thinking about putting a handle that checks credentials and then lets routing to continue to match the rest of the route.

/app/moudle1 <- Here i check the credentials /app/moudle1/path1 <- If credential are OK, then the handler falls in here. /app/moudle1/path2

How do i do that with yesod ? Is it something that needs a subsite ? I would appreciate a small example. It would help me a lot.

You can look at the static subsite or some of the other existing ones. You should be able to avoid a subsite by checking the url in the auhorization callbacks. The community would find some kind of authorization library useful if you manage to generalize your approach.

...

-----------------

Another question, Is there a way a automatically and transparently for developer encrypt part (or all ) of the url. Like this:

www.website.com/app/jshdfbjkshabfjhvkjvjaksvdfjhvasjdhvfkjshadfhjasdhfkjasfjsvahf

This seems possible using a custom route piece type and/or url rendering overrides.

...

where the encrypted part will be converted to normal route by the rounting handler, and when urls are generated, encrypted back. Of course using a separate key for each user/session.

Regards, Vagif Verdi

_______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel

Greg Weber _______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel

I think Greg is right on both points. I just wanted to add that I also agree that subsite authoring needs to be documented properly. Now that my personal life is starting to settle down to normal again I'm hoping to make a major dent in the advanced section of the Yesod book. Michael

On Thu, Mar 17, 2011 at 8:01 PM, wrote:

Both Snap and Happstack can match against partial route. And after handling it let it fall deeper to the next handler.

Does yesod routing support such model ?

Sure, just use MultiPieces. For example: mkYesod "MyApp" [$parseRoutes| /*Strings RootR GET |] getRootR [] = ... getRootR ["hello"] = ... getRootR ("something":rest) = go rest But even though you *can* do it, that doesn't mean I recommend it. One of the major features that Yesod gives you versus Snap or Happstack is type-safe URLs. Doing these kinds of matches undercuts that feature drastically. So sure: contrary to popular belief, Yesod can express the full routing flexibility present in Happstack and Snap. But there's a very good reason to use the recommended approaches whenever possible. I think that isAuthorized[1] should provide you with the tool you need to achieve this. I've written sites with very complex permissions code using isAuthorized, and frankly I think it's a much better and simpler approach to many other authorization systems out there. (And yes, I would love to augment the Yesod book with some documentation on it.) [1] http://hackage.haskell.org/packages/archive/yesod-core/0.7.0.1/doc/html/Yeso...

...

You should be able to avoid a subsite by checking the url in the auhorization callbacks.

Could you please elaborate. I do not even know where to begin to look for such callbacks.

The scaffolded site has an authentication example. But it is implemented as a subsite. And i have a hard time figuring out how to create a subsite without a documentation.

I don't think a subsite is the solution you are looking for here. It *could* solve your problem, but it would not be the most pleasant approach. Subsites should be saved for reusable components whenever possible. Michael

On Thu, Mar 17, 2011 at 8:42 PM, Greg Weber wrote:

On Thu, Mar 17, 2011 at 11:01 AM, wrote:

...

Both Snap and Happstack can match against partial route. And after handling it let it fall deeper to the next handler.

Does yesod routing support such model ?

Yes, this should be possible but you may have to go about it in a different way.

...

...

You should be able to avoid a subsite by checking the url in the auhorization callbacks.

Could you please elaborate. I do not even know where to begin to look for such callbacks.

The scaffolded site has an authentication example. But it is implemented as a subsite. And i have a hard time figuring out how to create a subsite without a documentation.

there is an isAuthorized callback. The most productive way to use yesod is to start cloning the repos and do a search for where things like "authorize" are defined. It will take time to improve the docs.

Actually, I really like hearing the questions directly on web-devel, it gives me an idea of where I should focus when updating the docs. When I get a question like this, it tells me to add a point each to the subsite and authorization chapters. Michael

...

On Thursday, March 17, 2011 10:29:40 AM you wrote:

...

On Thu, Mar 17, 2011 at 10:07 AM, wrote:

...

I am trying to build an intranet web app that would need access control (different modules are allowed/denied to different groups of users).

I am thinking about putting a handle that checks credentials and then lets routing to continue to match the rest of the route.

/app/moudle1 <- Here i check the credentials /app/moudle1/path1 <- If credential are OK, then the handler falls in here. /app/moudle1/path2

How do i do that with yesod ? Is it something that needs a subsite ? I would appreciate a small example. It would help me a lot.

You can look at the static subsite or some of the other existing ones. You

should be able to avoid a subsite by checking the url in the auhorization callbacks. The community would find some kind of authorization library useful if you manage to generalize your approach.

...

-----------------

Another question, Is there a way a automatically and transparently for developer encrypt part (or all ) of the url. Like this:

www.website.com/app/jshdfbjkshabfjhvkjvjaksvdfjhvasjdhvfkjshadfhjasdhfkja sfjsvahf

This seems possible using a custom route piece type and/or url rendering overrides.

where the encrypted part will be converted to normal route by the rounting

...

handler, and when urls are generated, encrypted back. Of course using a separate key for each user/session.

Regards, Vagif Verdi

_______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel

Greg Weber

_______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel

_______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel