[cgiapp] Authentication/Authorization prerun interaction

Lyle Brooks brooks at deseret.com
Thu Jan 12 10:24:13 EST 2012 

Quoting Cees Hek (ceeshek at gmail.com):
> On Thu, Jan 12, 2012 at 5:18 AM, Lyle Brooks <brooks at deseret.com> wrote:
> > Quoting Cees Hek (ceeshek at gmail.com):
> >> On Wed, Jan 11, 2012 at 5:40 AM, Lyle Brooks <brooks at deseret.com> wrote:
> 
> 
> I tend to do authorization the following way:
> 
> 
> __PACKAGE__->authz('group')->config(
>     DRIVER => [ 'Generic', sub {
>        my ($username,$group) = @_;
>        return MyApp->user($username)->in_group($group);
>     } ],
> );
> 
> # Only administrators can access anything in this module
> __PACKAGE__->add_callback('prerun', sub {
>     my $self = shift;
>     return $self->forbidden unless
> __PACKAGE__->authz('group')->authorize('administrator');
> });
> 
> -or-
> 
> # Only administrators can run this runmode
> sub admin_something {
>   my $self = shift;
>   return $self->forbidden unless
> __PACKAGE__->authz('group')->authorize('administrator');
>   ...
> }
> 
> Authentication is handled in Apache using Apache2::AuthCookie which is
> probably why I can't come across this problem before.

Thank you for those examples...that may help me work around the
issue.

> 
> > >From my reading of the CGI::Application's documention on the
> > use of prerun_mode(), its purpose is to allow for a new runmode
> > to supercede the requested runmode....in which case, it seems
> > like it should as a byproduct also set $self->{__CURRENT_RUNMODE}
> > In CGI::Application::prerun_mode() replace the line
> >
> > $self->{__PRERUN_MODE} = $prerun_mode;
> >
> > with
> >
> > $self->{__PRERUN_MODE} = $self->{__CURRENT_RUNMODE} = $prerun_mode;
> >
> > (which I think would address my issue).
> 
> You could test that easily by copying the prerun method into your
> application and adding your patch.

Yes, I did copy the prerun_mode() code from CGI::Application
to my derived package and applied my patch to the copied code.  It
worked the way I envisioned.

> 
> I think this is probably the most appropriate way to solve this issue.
>  The plugin should be able to ask CGI::Application 'What is the
> runmode that you are about to execute", without having to do multiple
> checks.

I agree completely.  I tend not to advance solutions that have
non-obvious side-effects, but this one seems to make sense (and 
if it is documented sufficently, it should be acceptable).

> 
> > I don't what impact that would have on existing code written
> > for CGI::Application.
> 
> Neither do I, but I would suspect it would be minimal (does anyone
> else have any comments on this?)
> 


> > If that approach turned out to be inappropriate, then I would
> > in CGI::Application::Plugin::Authorization::prerun_callback()
> >
> > the line
> >
> > if ($rule = $auth->is_authz_runmode($self->get_current_runmode)) {
> >
> > be replaced with something like...
> >
> >
> > my $candidate_runmode = $self->prerun_mode() || $self->get_current_runmode();
> > if ($rule = $auth->is_authz_runmode($candidate_runmode)) {
> 
> This brings me back to my comment above.  Why should the plugin have
> to check in multiple places to find out what runmode is about to be
> executed?

Agreed.  This second approach I suggested would be less-optimal (IMHO).
than the first approach.


Thank you for taking the time to review my postings.

More information about the cgiapp mailing list