[cgiapp] app authorization patterns, best practices?

B. Estrade estrabd at gmail.com
Thu Mar 29 11:35:40 EDT 2012 

On Thu, Mar 29, 2012 at 09:37:33AM +1100, Ron Savage wrote:
> Hi
> 
> There are 2 modules on CPAN which might help:
> 
> https://metacpan.org/module/Entities
> 
> https://metacpan.org/module/Abilities

Thank you, Ron.

I'll give them a looksee, then will let you know if I find them
helpful.

Brett

> 
> I did not try them yet myself.
> 
> On 29/03/12 00:40, B. Estrade wrote:
> > On Fri, Mar 23, 2012 at 8:05 PM, Jerry Kaidor<jerry at tr2.com>  wrote:
> >>
> >>> I have some questions regarding best practices when implementing
> >>> role based access control (RBAC). I have been playing with
> >>> CApp::Authentication and Authorization, and they both do basically
> >>> what I need.
> >>
> >> *** Me too.  I have three sub-businesses.  Let's call them A, B, C.  I
> >> want to have access to all of it, but I want my managers to only have
> >> access to
> >> their particular piece.
> >>
> >>     Here's more or less how I did it.  BTW, it recently broke for unknown
> >> reason, and I havent' gotten around to troubleshooting.
> >>
> >>    CApp:Authentication has a notion of "drivers".  I wrote a multi-DB
> >> driver that can look in a set of authentication databases.  I have a
> >> "users"
> >> mysql database at my global level, and another "users" database in each
> >> subbusiness.  When somebody attempts to log in, the multi-auth driver
> >> tries each database in turn.  If it successfully authenticates against the
> >> "global" database, that user has privs for all the sub-businesses.
> >>
> >>    Each line in the "users" database has a set of "permissions" flags,
> >> which correspond to things seeming to permission as I coded.  In line
> >> with the code are statements in the form if( getpriv( user, business
> >> )){}.  That way, I have a permissions system with much finer
> >> granularity than Capp::Authorization, which I do not use at all.
> >>
> >>                                - Jerry Kaidor ( jerry at tr2.com )
> >>
> >>
> >
> > Jerry,
> >
> > I didn't think about using the driver in this way - thank you for the idea.
> >
> > Another thing I am looking at doing is setting up contexts. What this
> > does is that it allows the user to  assume a particular set of roles
> > given what they are doing if they are assigned mutually exclusive
> > roles globally. Basically, each context is a set of compatible roles
> > that are active at any given time. The user is permitted to switch
> > among contexts as they wish, activating and deactivating roles as
> > needed.  I know it's another level of complexity, but still part of
> > the RBAC thing - I'll look more at the drivers aspect. Thanks, again.
> >
> > Brett
> >
> >>
> >>
> >>
> >>>
> >>> Here's the skeleton I came up with -
> >>>
> >>>        https://gist.github.com/33d23edf8fa2c0f48dc0
> >>>
> >>> My question is really, what's the best way to go about separating
> >>> functionality in a CApp based application?
> >>>
> >>> A practical case I am looking at right now is that I have form that
> >>> is used to manage user data. There are 3 roles - User, Manager, and
> >>> Admin. Each one has the types of permissions you'd expect (User can
> >>> manage himself, Manager can manage his Users, Admin can do anything).
> >>>
> >>> I was thinking of the best way to build this form and control actions
> >>> cleanly and compose this form using 3 different runmodes that are
> >>> increasingly restrictive.
> >>>
> >>> For example, the User form calls the "user" runmode, and returns the
> >>> form content. The "manager" runmode takes the output of "user" and
> >>> adds some stuff to it. The "admin" runmode might take the result of
> >>> the "manager" runmode - which would also include what the "user"
> >>> runmode provides...and so on.
> >>>
> >>> Ultimately, my goal is to get away from nasty frog boiling "if" blocks
> >>> controlling authorization and rely on composable functions (i.e.,
> >>> runmodes or modules) that will cleanly give me what I would like using
> >>> the runmode level protection that CApp::Authorization provides you.
> >>>
> >>> I've searched around and banged my head against this pretty hard, so
> >>> any thoughts or resources would be appreciated. For all I know, this
> >>> might be a bad idea. But I am really just looking for the best way to
> >>> create an access controlled system as cleanly as possible.
> >>>
> >>> Thank you,
> >>> Brett
> >>>
> >>> ps: I noticed that even if POST_LOGIN_RUNMODE is protected via
> >>> CApp::Authentication, the check seems to be ignored immediately after
> >>> login. I am not sure if this is a known issue or that there are some
> >>> callbacks happening in the wrong order. This will happen in the gist I
> >>> linked above.
> >>>
> >>> #####  CGI::Application community mailing list  ################
> >>> ##                                                            ##
> >>> ##  To unsubscribe, or change your message delivery options,  ##
> >>> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> >>> ##                                                            ##
> >>> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> >>> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> >>> ##                                                            ##
> >>> ################################################################
> >>>
> >>
> >>
> >>
> >> #####  CGI::Application community mailing list  ################
> >> ##                                                            ##
> >> ##  To unsubscribe, or change your message delivery options,  ##
> >> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> >> ##                                                            ##
> >> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> >> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> >> ##                                                            ##
> >> ################################################################
> >>
> >
> > #####  CGI::Application community mailing list  ################
> > ##                                                            ##
> > ##  To unsubscribe, or change your message delivery options,  ##
> > ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> > ##                                                            ##
> > ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> > ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> > ##                                                            ##
> > ################################################################
> >
> >
> >
> 
> 
> -- 
> Ron Savage
> http://savage.net.au/
> Ph: 0421 920 622
> 
> #####  CGI::Application community mailing list  ################
> ##                                                            ##
> ##  To unsubscribe, or change your message delivery options,  ##
> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> ##                                                            ##
> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> ##                                                            ##
> ################################################################
>

More information about the cgiapp mailing list