Prakash-
I've been working on something similar lately, and I'll share what I've
got working. I'm fairly new at all of this too, so Caveat lector!
I'd appreciate any best practice comments/suggestions from anyone else
who has time to look at this.
The code is attached as two files:
1) The instance script restricted_access.cgi
2) The cgiapp module Restricted_access.pm
Put the instance script in you cgi-bin directory. For simply testing
the app put the module in the same directory (you would never do this in
production right) or in your perl @INC path, or put it wherever the hell
you want, and edit the use lib line in the instance script.
If you're on Windows or something else without /tmp edit the line 16 of
the cgiapp module to something like this:
CGI_SESSION_OPTIONS => ["driver:File", $self->query, {Directory =>
"C:\\"}],
Basically cgiapp_init sets up two params. One called user_access which
is a hash directory of your users, their passwords, and their level of
access. This would normally be pulled out of a database or file, but is
hard coded hear for simplicity. The other param is called rm_restrict,
and is another hash directory of all of your run modes each with an
array of levels that are allowed to access the run mode. You could
probably do something fancier here so that you don't need the arrays
i.e. if you set rm access to public then every level above public has
access as well without explicitly stating them.
cgiapp_prerun then does two tests. First if the user isn't logged in
yet, you get sent to login_rm. During login the user's username gets
stored in the session. If the user is logged in you get their username
from the session (server side so others can't spoof it), get the current
rm from get_current_runmode, look up the user's access level from you
user_access hash, and grep against the list of allowed access levels for
this rm. If a match is found, carry on - if no match 'Go to hell!'.
The two files are attached and pasted below. Three users are hard coded
into the module me, you and him. Their passwords are 1234, 2345, 3456
respectively. The cgiapp_module uses hard coded html to avoid making
assumptions about your template system. I'm afraid my mailer is going
to mangle line wrapping so maybe look at the attached files. Feedback
appreciated.
Barry
------------------------------------------------------------------------
----
#!c:/Perl/bin/Perl.exe
package Restricted_Access;
use strict;
use warnings;
use base 'CGI::Application';
use CGI::Application::Plugin::Session;
########################################################################
########
sub cgiapp_init {
my $self = shift;
#Configure sessions
$self->session_config(
CGI_SESSION_OPTIONS => ["driver:File", $self->query, {Directory =>
'/tmp'}],
COOKIE_PARAMS => {-expires => '+24h',},
SEND_COOKIE => 1);
#Initalize these from a database or password file.
$self->param('user_access', {me => {rm_access => 'admin',
password => '1234'},
you => {rm_access => 'manager',
password => '2345'},
him => {rm_access => 'lowly_grunt',
password => '3456'}});
#Initalize from database, file, or just hardcode it
$self->param('rm_restrict', {top_secret_rm => [qw/admin/],
sensitive_rm => [qw/admin manager/],
public_rm => [qw/admin manager
lowly_grunt/],
login_rm => [qw/admin manager
lowly_grunt public/],
error_rm => [qw/admin manager
lowly_grunt public/]});
}
########################################################################
########
sub setup {
my $self = shift;
$self->start_mode('login_rm');
$self->run_modes([qw/login_rm error_rm top_secret_rm sensitive_rm
public_rm/]);
}
########################################################################
########
sub cgiapp_prerun {
my $self = shift;
my $q = $self->query;
my $user_access = $self->param('user_access');
my $rm_restrict = $self->param('rm_restrict');
#Send to login page unless logged in already
unless ($self->session->param('__LOGGED_IN')) {
$self->prerun_mode('login_rm');
return;
}
#Send to error page if requesting a rm that you don't have access
rigths to
unless (grep /^public$/, @{$$rm_restrict{$self->get_current_runmode}})
{
my $session = $self->session;
my $rm_user = $session->param('rm_user');
$self->prerun_mode('error_rm') unless grep
/^$$user_access{$rm_user}{rm_access}$/,
@{$$rm_restrict{$self->get_current_runmode}};
}
}
########################################################################
######## $self->get_current_runmode eq 'login_rm'
sub login_rm {
my $self = shift;
my $q = $self->query;
my $session = $self->session;
my $user = $q->param('user');
my $passwd = $q->param('passwd');
my $user_access = $self->param('user_access');
if ($user && $passwd && $passwd eq $$user_access{$user}{password}) {
$session->clear;
$session->param('__LOGGED_IN', 1);
$session->param('rm_user', $user);
}
else {
$session->clear
}
return q|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body>
<a href="restricted_access.cgi?rm=login_rm">Log
In</a>
<a href="restricted_access.cgi?rm=top_secret_rm">Top
Secret</a>
<a
href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a>
<a href="restricted_access.cgi?rm=public_rm">Public</a><br>
<form method="post" action="/cgi-bin/restricted_access.cgi">
<input type="hidden" name="rm" value="login" />
<input type="text" name="user" /> Username<br>
<input type='text' name="passwd" /> Password<br>
<input type="submit" value="Submit"/>
</form>
</body>
</html>|;
}
########################################################################
########
sub error_rm {
my $self = shift;
my $session = $self->session;
return qq|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body>
<a href="restricted_access.cgi?rm=login_rm">Log
In</a>
<a href="restricted_access.cgi?rm=top_secret_rm">Top
Secret</a>
<a
href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a>
<a href="restricted_access.cgi?rm=public_rm">Public</a><br>
<h2>Bad hacker! Go to hell!!!</h2>
</body>
</html>|;
}
########################################################################
########
sub top_secret_rm {
my $self = shift;
return q|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body>
<a href="restricted_access.cgi?rm=login_rm">Log
In</a>
<a href="restricted_access.cgi?rm=top_secret_rm">Top
Secret</a>
<a
href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a>
<a href="restricted_access.cgi?rm=public_rm">Public</a><br>
<h2>Shhh! This is a secret - don't tell anyone</h2>
</body>
</html>|;
}
########################################################################
########
sub sensitive_rm {
my $self = shift;
return q|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body>
<a href="restricted_access.cgi?rm=login_rm">Log
In</a>
<a href="restricted_access.cgi?rm=top_secret_rm">Top
Secret</a>
<a
href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a>
<a href="restricted_access.cgi?rm=public_rm">Public</a><br>
<h2>Shhh! This is kind of a secret too - don't tell anyone
unless you really want to<\h2>
</body>
</html>|;
}
########################################################################
########
sub public_rm {
my $self = shift;
return q|<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body>
<a href="restricted_access.cgi?rm=login_rm">Log
In</a>
<a href="restricted_access.cgi?rm=top_secret_rm">Top
Secret</a>
<a
href="restricted_access.cgi?rm=sensitive_rm">Sensitive</a>
<a href="restricted_access.cgi?rm=public_rm">Public</a><br>
<h2>No secrets here. We like to keep things out in the
open</h2>
</body>
</html>|;
}
1;
------------------------------------------------------------------------
----
#!c:/Perl/bin/Perl.exe
use strict;
use warnings;
use lib '.';
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use Restricted_Access;
my $webapp = Restricted_Access->new(die_on_bad_params => 0,
cache => 0 );
$webapp->run();
------------------------------------------------------------------------
----
-----Original Message-----
From: Prakash Inuganti (pinugant) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 16, 2005 7:40 AM
To: cgiapp@lists.erlbaum.net
Subject: [cgiapp] Restrict access to certain run modes
Hi,
How do I restrict user access to certain run modes based on user role.
E.g:
$self->param('role' => 'Employee');
He should have access to only run modes 'Reports' and 'Search'. If he
tries to access any other run mode by copying and pasting url or by
other means, I want to take him to an error page. Appreciate any help.
Thanks in advance
Prakash
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
