Re: [cgiapp] Re: CAP::Authorization, CAP::AutoRunmode & CA::Dispatch

[Richard Jones]

Richard Jones wrote:
Mark Stosberg wrote:
On Tue, 11 Aug 2009 10:52:51 +0100
Richard Jones <ra.jo...@dpw.clara.co.uk> wrote:
Am having some difficulty with the FORBIDDEN_RUNMODE param when using 
CAP::Authorization with CA::Dispatch. All my application classes 
inherit from a base class where I have defined the 'forbidden' 
runmode (using AutoRunmode syntax). But declaring FORBIDDEN_RUNMODE 
=> 'forbidden' in authz->config() means that for some reason the 
classes loaded by CA::Dispatch - which all 'use base MyApp::Base' - 
can't find the forbidden() rm so return my error page instead.

I suggest looking into this a bit further. At the moment that the
forbidden run mode can't be found, has it been registered in the
run_modes() hash?

It looks like it isn't. If I define FORBIDDEN_RUNMODE => 
'my_forbidden_rm' in authz->config() in cgiapp_init(), and then in 
cgiapp_prerun():

use Data::Dumper; warn Dumper $self->run_modes();
[..]
But if I set $self->run_modes( authz_forbidden => 'my_forbidden_rm' ) in 
cgiapp_prerun() and then (still in cgiapp_prerun) dump 
$self->run_modes() immediately after:
[..]
And this time the forbidden runmode is found and returns its stuff. 
[..]

More info:

For *runmodes* protected using "return $self->authz->forbidden() unless 
$self->authz->authorize('admin')" it works as documented.

But for *classes* protected by __PACKAGE__->authz->authz_runmodes( 
':all' => 'admin' ) then only if I specifically remove FORBIDDEN_RUNMODE 
from authz->config() in cgiapp_init()[*], and define $self->run_modes( 
authz_forbidden => 'forbidden' ) in cgiapp_prerun() does my custom 
forbidden rm get returned. Even defining authz_forbidden in setup() 
doesn't suffice.

Of course removing FORBIDDEN_RUNMODE from authz->config() means the 
runmode-level protection returns the default 'You do not have permission 
to perform that action' instead of my custom page, but that's easy to 
get round using 'return $self->forbidden()' instead of 
$self->authz->forbidden().

* - otherwise it triggers the 'unknown action' page instead
--
Richard Jones

#####  CGI::Application community mailing list  ################
##                                                            ##
##  To unsubscribe, or change your message delivery options,  ##
##  visit:  http://www.erlbaum.net/mailman/listinfo/cgiapp    ##
##                                                            ##
##  Web archive:   http://www.erlbaum.net/pipermail/cgiapp/   ##
##  Wiki:          http://cgiapp.erlbaum.net/                 ##
##                                                            ##
################################################################