> In practical terms, if I am already using an If LocParam, as in the
> following:
>
> If(() => User.isa_?("admin"), S.?("not_authorized"))
>
> what does adding
>
> HttpAuthProtected(() => User.authorize("admin")) to the Loc do?
It sais that this Loc is protected by the returned Role. Thus to
access this after passing the authentication the Role specified in the
authentication function (by setting userRoles) must be the same as or
a child of the Role the is protecting the Loc.
>
> Here, I've had to define User.authorize to make things work, as:
>
> def authorize(roleName:String): Box[Role] = {
> val credentials : (String,String) = User.currentUser match {
> case Full(u) => (
u.email.is,
u.password.is)
> case Empty => (null, null)
> }
>
> User.isa_?(roleName) match {
> case true => {
> LiftRules.httpAuthProtectedResource.append {
> case (ParsePath("listContents" :: _, _, _, _)) => Full
> (AuthRole("admin"))
> }
Why do you need to use httpAuthProtectedResource if you' using
HttpAuthProtected LocParam ?
> LiftRules.authentication = HttpBasicAuthentication("lift")
> {
> case (credentials._1, credentials._2, req) =>
> AuthRole(roleName)
> true
> }
> Full(new _root_.net.liftweb.http.auth.Role{
> def name = roleName})
> }
> case false => Empty
> }
>
> Rather verbose, don't you think.
Your code is verbose but I don't see the justification for this
verbosity:
LiftRules.authentication = HttpBasicAuthentication("lift") {
case (username, password, req) => {
// Do you authentication in DB or whatever and you
determined that this is an admin user
userRoles(AuthRole("admin")) // userRoles needs to be
set. It is a RquestVar.
true
}
In Boot you have:
Menu(Loc("listContents", List("listContents"), "listContents",
HttpAuthProtected(() => Full(AuthRole("admin")))))
When you use HttpAuthProtected LocParam Lift appends a function to
LiftRules.httpAuthProtectedResource so you don't need to do it
manually.
This authorixation scheme is only about protecting resource by roles
and you do this almost declaratively and for authentication I thing
the things are pretty straight forward. One a user is authenticated
(using HTTP authentication) you need to specify the Role for this user
and you do this using userRoles RequestVar.Thus /listContents can only
be accessed if:
1. user passed authentications
2. user's Role is an "admin" or a child of the Role specified in
HttpAuthProtected