[cgiapp] Security, Authentication and Authorization for CGI::App

[Mark Rajcok]

Hi Nicholas,

I would like to see CAP::Authentication be enhanced to have the ability to
query additional database fields and make the data available to runmodes.
These fields need not be related to authentication.  For example, the
ability to specify a user role/privilege field could then avoid the need to
hit the database a second time for common authorization checks.

In my current app, I have u_state and u_privileges fields.  The DB is hit
once for authen, and then a second time for authz.  I've always wanted a way
to avoid this.  I'm thinking of something like this:

DRIVER => [ 'DBI',
  DBH         => $self->dbh,
  TABLE       => 'user',
  CONSTRAINTS => {
     'user.name'         => '__CREDENTIAL_1__',
     'MD5:user.password' => '__CREDENTIAL_2__'
 },
  EXTRA_DATA => [ 'u_state', 'u_privileges']          # store this data
somewhere
],

sub a_rm {
  my $self = shift;
  my $authz_data = $self->authen->extra_data;  # returns a hash ref:  {
u_state => 'active', u_privileges =>7 }

-- Mark R.

On Thu, Mar 4, 2010 at 5:30 PM, Nicholas Bamber <nicholas at periapt.co.uk>wrote:

> Brad,
>     If you have any feedback on
> CGI::Application::Plugin::Authentication I would appreciate it.
>
>     My priorities for it are (not in any order):
> 1.) Getting it to run under taint mode
> 2.) And making the HTML more configurable
> 3.) Getting test coverage up.
> 4.) Keeping test failures down
> 5.) Working through the bugs in rt.
>
> I am also thinking about the big picture on authentication but I have
> been working on the module for too shorter time to have any definite ideas.
>