[cgiapp] help with CAP::Authentication

Sun Aug 2 22:21:42 EDT 2009

On Sun, Aug 2, 2009 at 11:15 AM, Alex<capfan at gmx.de> wrote:
> Hi!
>
> Understanding CAP::Auth could take a while :)
>
> For your "even_more_protected" protection, you might want to use
> CGI::Application::Plugin::Authorization. There, you can defined roles and
> privileges for users / user groups / whatever you want.
>

Thanks for pointing CAP::Authorization to me. I did not know of it,
and, from its description, it indeed seems to offer exactly what I
want to accomplish.

However, I don't understand CAP::Authorization as well (along with
CAP::Authentication). It seems to use a simple logic like so

# is the current user in the admin group
 if ($self->authz->authorize('admingroup')) {
    # perform an admin action
 }

but, it is not clear as to how it assigns these admin groups. For
instance, there are a number of examples of restricting certain
runmodes to the 'admin' group. But, how does the module know which
user belongs to the 'admin' group? Unfortunately, it is not clear to
me.

What I have done so far, using my account_update_session() sub, is set
a session bit for 'admin' and then use a

if ($self->session->param('is_admin') {
 .. do this ..
}
else {
 .. sorry ..
}

Does CAP::Authorization do anything more?

Re. my other query, is there a more elegant way of setting/unsetting
session vars? I am using POST_LOGIN_CALLBACK to set the vars, but
there doesn't seem to be a similar POST_LOGOUT_CALLBACK. Any
suggestions on how to do something automatically after logout?

> A simple way would be to use two usergroups: users and admins.
> Your usual protected stuff would be accessible by the user group and the
> other more picky stuff will require the admin group. Finally, you assign a
> user group to each user and you're done.
>
> HTH, Alex
>
> -----Original Message-----
> From: cgiapp-bounces at lists.openlib.org
> [mailto:cgiapp-bounces at lists.openlib.org] On Behalf Of P Kishor
> Sent: Sonntag, 2. August 2009 17:49
> To: CGI Application
> Subject: [cgiapp] help with CAP::Authentication
>
> I am trying to implement *and* understand CAP::Authentication. My questions
> are --
>
> 1. How do I set (or unset) a bunch of session variables upon successful
> login or on logout?
>
> For example, right now I am using a POST_LOGIN_CALLBACK to set an 'is_admin'
> bit like so
>
>    $self->authen->config(
>        ..
>        POST_LOGIN_CALLBACK => \&account_update_session,
>    );
>
>    sub account_update_session {
>        my $self = shift;
>
>        if ($self->authen->is_authenticated) {
>            $self->session->param('is_admin', 0);
>
>            my $dbh = $self->dbh;
>
>            my $sth = $dbh->prepare(qq{
>                SELECT u.group_id
>                FROM users u JOIN groups g ON u.group_id = g.group_id
>                WHERE u.username = ?
>            });
>
>            $sth->execute($self->authen->username);
>            my ($group_id) = $sth->fetchrow_array;
>
>            if ($group_id == 1) {
>                $self->session->param('is_admin', 1);
>            }
>        }
>
>    }
>
> The above works, but is it the right way to accomplish this? The 'is_admin'
> bit is just one session var. I will likely have a few other session vars to
> set and unset.
>
>
> 2. Once I have set 'is_admin', how do I protected some of the modes much
> like
>
>        $self->authen->protected_runmodes(
>        'view',
>        'account_prefs',
>        'account_update',
>        'account_admin'
>    );
>
> I would like to create something like so, logically speaking
>
>        $self->authen->even_more_protected_runmodes(
>        'account_admin'
>    );
>
> --
> Puneet Kishor
>