[cgiapp] chicken-and-egg problem with group-based dispatching

[Mark Stosberg]

I have a large application set up so that each run modes that apply to each
group of users are in modules that inherit from a base class for that
group. For example, we might have:

StaffBase.pm
    StaffPetsAdmin.pm

PublicBase.pm
    PublicCommunicationPreferences.pm

One of the benefits of this design is that any time you try to access one   of
the modules that inherits from StaffBase, the application checks that you
belong to the "staff group"

I link this design, because you don't really have to worry about making sure
each run mode is protected appropriately.  The infrastructure provides that for
you.

The problem comes when I want to access the same run mode through the same URL,
perhaps:

/user/profile/edit

Should be accessible to people in multiple groups. Because I would like the run
mode to be able to be different for different groups. (For example, the staff
may see extra fields).

So, I would like this URL to dispatch to a run mode in either

 StaffProfileMgmt.pm or PublicistProfileMgmt.pm

Depending on the group membership of the person requesting the URL.

And that's my chicken-and-egg problem. I like to really use the functionality
of my application (dbh(), session(), config() ), before I dispatch to it.

An alternate approach would be along the lines of what the Authorization plugin
provides:

http://search.cpan.org/~ceeshek/CGI-Application-Plugin-Authorization-0.07/lib/CGI/Application/Plugin/Authorization.pm#authz_runmodes

In this approach, I would globally declare that run modes are not accessible,
and then in each module I would call "authz_runmodes" to declare which run
modes are accessible to particular groups. This is a little more work, but the
default protection scheme would mean that I would immediately and notice and
repair any run mode I forgot to declare the authorization rules.

What are others doing?

    Mark

-- 
http://mark.stosberg.com/