Prakash- I've been working on something similar lately, and I'll share what I've got working. I'm fairly new at all of this too, so Caveat lector!
I'd appreciate any best practice comments/suggestions from anyone else who has time to look at this. The code is attached as two files: 1) The instance script restricted_access.cgi 2) The cgiapp module Restricted_access.pm Put the instance script in you cgi-bin directory. For simply testing the app put the module in the same directory (you would never do this in production right) or in your perl @INC path, or put it wherever the hell you want, and edit the use lib line in the instance script. If you're on Windows or something else without /tmp edit the line 16 of the cgiapp module to something like this: CGI_SESSION_OPTIONS => ["driver:File", $self->query, {Directory => "C:\\"}], Basically cgiapp_init sets up two params. One called user_access which is a hash directory of your users, their passwords, and their level of access. This would normally be pulled out of a database or file, but is hard coded hear for simplicity. The other param is called rm_restrict, and is another hash directory of all of your run modes each with an array of levels that are allowed to access the run mode. You could probably do something fancier here so that you don't need the arrays i.e. if you set rm access to public then every level above public has access as well without explicitly stating them. cgiapp_prerun then does two tests. First if the user isn't logged in yet, you get sent to login_rm. During login the user's username gets stored in the session. If the user is logged in you get their username from the session (server side so others can't spoof it), get the current rm from get_current_runmode, look up the user's access level from you user_access hash, and grep against the list of allowed access levels for this rm. If a match is found, carry on - if no match 'Go to hell!'. The two files are attached and pasted below. Three users are hard coded into the module me, you and him. Their passwords are 1234, 2345, 3456 respectively. The cgiapp_module uses hard coded html to avoid making assumptions about your template system. I'm afraid my mailer is going to mangle line wrapping so maybe look at the attached files. Feedback appreciated. Barry ------------------------------------------------------------------------ ---- #!c:/Perl/bin/Perl.exe package Restricted_Access; use strict; use warnings; use base 'CGI::Application'; use CGI::Application::Plugin::Session; ######################################################################## ######## sub cgiapp_init { my $self = shift; #Configure sessions $self->session_config( CGI_SESSION_OPTIONS => ["driver:File", $self->query, {Directory => '/tmp'}], COOKIE_PARAMS => {-expires => '+24h',}, SEND_COOKIE => 1); #Initalize these from a database or password file. $self->param('user_access', {me => {rm_access => 'admin', password => '1234'}, you => {rm_access => 'manager', password => '2345'}, him => {rm_access => 'lowly_grunt', password => '3456'}}); #Initalize from database, file, or just hardcode it $self->param('rm_restrict', {top_secret_rm => [qw/admin/], sensitive_rm => [qw/admin manager/], public_rm => [qw/admin manager lowly_grunt/], login_rm => [qw/admin manager lowly_grunt public/], error_rm => [qw/admin manager lowly_grunt public/]}); } ######################################################################## ######## sub setup { my $self = shift; $self->start_mode('login_rm'); $self->run_modes([qw/login_rm error_rm top_secret_rm sensitive_rm public_rm/]); } ######################################################################## ######## sub cgiapp_prerun { my $self = shift; my $q = $self->query; my $user_access = $self->param('user_access'); my $rm_restrict = $self->param('rm_restrict'); #Send to login page unless logged in already unless ($self->session->param('__LOGGED_IN')) { $self->prerun_mode('login_rm'); return; } #Send to error page if requesting a rm that you don't have access rigths to unless (grep /^public$/, @{$$rm_restrict{$self->get_current_runmode}}) { my $session = $self->session; my $rm_user = $session->param('rm_user'); $self->prerun_mode('error_rm') unless grep /^$$user_access{$rm_user}{rm_access}$/, @{$$rm_restrict{$self->get_current_runmode}}; } } ######################################################################## ######## $self->get_current_runmode eq 'login_rm' sub login_rm { my $self = shift; my $q = $self->query; my $session = $self->session; my $user = $q->param('user'); my $passwd = $q->param('passwd'); my $user_access = $self->param('user_access'); if ($user && $passwd && $passwd eq $$user_access{$user}{password}) { $session->clear; $session->param('__LOGGED_IN', 1); $session->param('rm_user', $user); } else { $session->clear } return q|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body> <a href="restricted_access.cgi?rm=login_rm">Log In</a> <a href="restricted_access.cgi?rm=top_secret_rm">Top Secret</a> <a href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a> <a href="restricted_access.cgi?rm=public_rm">Public</a><br> <form method="post" action="/cgi-bin/restricted_access.cgi"> <input type="hidden" name="rm" value="login" /> <input type="text" name="user" /> Username<br> <input type='text' name="passwd" /> Password<br> <input type="submit" value="Submit"/> </form> </body> </html>|; } ######################################################################## ######## sub error_rm { my $self = shift; my $session = $self->session; return qq|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body> <a href="restricted_access.cgi?rm=login_rm">Log In</a> <a href="restricted_access.cgi?rm=top_secret_rm">Top Secret</a> <a href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a> <a href="restricted_access.cgi?rm=public_rm">Public</a><br> <h2>Bad hacker! Go to hell!!!</h2> </body> </html>|; } ######################################################################## ######## sub top_secret_rm { my $self = shift; return q|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body> <a href="restricted_access.cgi?rm=login_rm">Log In</a> <a href="restricted_access.cgi?rm=top_secret_rm">Top Secret</a> <a href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a> <a href="restricted_access.cgi?rm=public_rm">Public</a><br> <h2>Shhh! This is a secret - don't tell anyone</h2> </body> </html>|; } ######################################################################## ######## sub sensitive_rm { my $self = shift; return q|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body> <a href="restricted_access.cgi?rm=login_rm">Log In</a> <a href="restricted_access.cgi?rm=top_secret_rm">Top Secret</a> <a href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a> <a href="restricted_access.cgi?rm=public_rm">Public</a><br> <h2>Shhh! This is kind of a secret too - don't tell anyone unless you really want to<\h2> </body> </html>|; } ######################################################################## ######## sub public_rm { my $self = shift; return q|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body> <a href="restricted_access.cgi?rm=login_rm">Log In</a> <a href="restricted_access.cgi?rm=top_secret_rm">Top Secret</a> <a href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a> <a href="restricted_access.cgi?rm=public_rm">Public</a><br> <h2>No secrets here. We like to keep things out in the open</h2> </body> </html>|; } 1; ------------------------------------------------------------------------ ---- #!c:/Perl/bin/Perl.exe use strict; use warnings; use lib '.'; use CGI qw(:standard); use CGI::Carp qw(warningsToBrowser fatalsToBrowser); use Restricted_Access; my $webapp = Restricted_Access->new(die_on_bad_params => 0, cache => 0 ); $webapp->run(); ------------------------------------------------------------------------ ---- -----Original Message----- From: Prakash Inuganti (pinugant) [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 7:40 AM To: cgiapp@lists.erlbaum.net Subject: [cgiapp] Restrict access to certain run modes Hi, How do I restrict user access to certain run modes based on user role. E.g: $self->param('role' => 'Employee'); He should have access to only run modes 'Reports' and 'Search'. If he tries to access any other run mode by copying and pasting url or by other means, I want to take him to an error page. Appreciate any help. Thanks in advance Prakash
--------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]