Hey Kenny --
> The decision has been made (although I can change it) to use a
> user-type/run-mode permission scheme. I created a database
> that handles
> which users are which type and which types have access to
> which mode. I even have it working :-)
Maybe a silly question -- but is your security REALLY at the level of a
*single* run-mode?
In my experience, security is usually applied to a group of run-modes. For
instance, you might allow a valid user to access the group of run-modes
"search_form", "search_widgets", and "view_widget". You would only allow
administrators to access the group of run-modes "add_widget",
"edit_widget_form", "update_widget_properties", and "delete_widget".
Does this describe your situation? If so, why don't you simply break your
application into multiple applications, by required authority? Each
application could then have its own instance script. The instance scripts
might be located in your "Document Root" like this:
/widget_browser.pl
/admin/widget_manager.pl
If you get this far, you can use the capabilities of the web server to apply
security at a directory hierarchy level. You could write an Authentication
and Authorization system which would use a database of users and groups.
Then, you could apply the following logic:
/ -- Requires a valid user
/admin/ -- Requires a valid user who is also in the "administrator"
group.
Through a web-based interface, users could be added to or removed from
various groups. You could have as many instance scripts as you like, each
for a different set of functions, possibly requiring different group
membership.
The beauty of this system is that you don't have to add *ANY* code to your
CGI::Application modules. FURTHERMORE(!), this system will also protect
STATIC HTML documents, where any system which is built into your app module
will NOT. If you want to change the security required for a particular set
of functions or static documents, just move the instance script or documents
into a different directory, or change the group requirements for that
directory.
Does this work for you? What are the problems which would prevent you from
using this type of system?
Warmest regards,
-Jesse-
Jesse Erlbaum, CTO
Vanguard Media
http://www.vm.com
212.242.5317 x115
[EMAIL PROTECTED]
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/cgiapp@lists.vm.com/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
