[cgiapp] Authz with Authen, something is backwards here...

Wed Jun 13 16:03:35 EDT 2012

On Wed, Jun 13, 2012 at 02:58:28PM -0500, B. Estrade wrote:
> I am finding that if I have a runmode that is protected via
> authentication and authorization, the authen doesn't happen before the
> authz is validated.
> 
> In otherwords, I want a authen to happen first; if it fails, redirect
> to the login. If authen is okay, proceseed to authz.
> 
> Right now I have this unsettling bit of code in my authz driver's
> authorize_user method:
> 
> sub authorize_user {
>     my $self = shift;    my ($username, $required_permission) = @_;
>     return 1 if (!$username or $required_permission);
> 

I mean:

sub authorize_user {
    my $self = shift;    
    my ($username, $required_permission) = @_;
    return 1 if (!$username);

....

> ....
> 
> I figure that if there is no $username, then authen has failed. But,
> because of the ordering of calls, it appears that if this is the case,
> I have to succeed authorize_user and rely on authen to redirect the
> login - this seems backwards. Authen should fail before anything is
> checked with authz. What am I doing wrong?
> 
> Thank you,
> Brett 
> 
> #####  CGI::Application community mailing list  ################
> ##                                                            ##
> ##  To unsubscribe, or change your message delivery options,  ##
> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> ##                                                            ##
> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> ##                                                            ##
> ################################################################
> 