[cgiapp] Re: CAP::Authorization, CAP::AutoRunmode & CA::Dispatch

Richard Jones ra.jones at dpw.clara.co.uk
Thu Aug 13 04:05:47 EDT 2009 

Richard Jones wrote:
> Mark Stosberg wrote:
>> On Tue, 11 Aug 2009 10:52:51 +0100
>> Richard Jones <ra.jones at dpw.clara.co.uk> wrote:
>>
>>> Am having some difficulty with the FORBIDDEN_RUNMODE param when using 
>>> CAP::Authorization with CA::Dispatch. All my application classes 
>>> inherit from a base class where I have defined the 'forbidden' 
>>> runmode (using AutoRunmode syntax). But declaring FORBIDDEN_RUNMODE 
>>> => 'forbidden' in authz->config() means that for some reason the 
>>> classes loaded by CA::Dispatch - which all 'use base MyApp::Base' - 
>>> can't find the forbidden() rm so return my error page instead.
>>
>> I suggest looking into this a bit further. At the moment that the
>> forbidden run mode can't be found, has it been registered in the
>> run_modes() hash?
> 
> It looks like it isn't. If I define FORBIDDEN_RUNMODE => 
> 'my_forbidden_rm' in authz->config() in cgiapp_init(), and then in 
> cgiapp_prerun():
> 
> use Data::Dumper; warn Dumper $self->run_modes();
[..]
> But if I set $self->run_modes( authz_forbidden => 'my_forbidden_rm' ) in 
> cgiapp_prerun() and then (still in cgiapp_prerun) dump 
> $self->run_modes() immediately after:
[..]
> And this time the forbidden runmode is found and returns its stuff. 
[..]

More info:

For *runmodes* protected using "return $self->authz->forbidden() unless 
$self->authz->authorize('admin')" it works as documented.

But for *classes* protected by __PACKAGE__->authz->authz_runmodes( 
':all' => 'admin' ) then only if I specifically remove FORBIDDEN_RUNMODE 
from authz->config() in cgiapp_init()[*], and define $self->run_modes( 
authz_forbidden => 'forbidden' ) in cgiapp_prerun() does my custom 
forbidden rm get returned. Even defining authz_forbidden in setup() 
doesn't suffice.

Of course removing FORBIDDEN_RUNMODE from authz->config() means the 
runmode-level protection returns the default 'You do not have permission 
to perform that action' instead of my custom page, but that's easy to 
get round using 'return $self->forbidden()' instead of 
$self->authz->forbidden().

* - otherwise it triggers the 'unknown action' page instead
-- 
Richard Jones

More information about the cgiapp mailing list