Hey Kenny --
> The only question is flexibility. If I wanted to change the
> delete_widget to allow a different group to have access to it
> how would
> I do that? Would I have to physically move the mode?
>
> Here are the details. I have users in different groups with different
> permissions.
>
[...snip...]
>
> The company that will use this software wanted to be able to change
> thier minds. For example, "I think techs should be able to edit and
> delete widgets but they don't need to view confidential stuff".
Given these circumstance, I would create three separate CGI::Application
application modules:
1. Widget Viewer
2. Widget Editor
3. Confidential Stuff Viewer
This is based on a combination of object ("widget", "confidential stuff")
and function/access (Viewer/Tech, Editor/Manager-only).
See how this plays itself out if you add the functions:
edit_configential_stuff_form
update_configential_stuff
delete_configential_stuff
If Managers are allowed to edit "confidential stuff" as well as view it, you
*may* put all these functions into the existing "Confidential Stuff Viewer"
application module. However(!), if you suspect that at some time in the
future it may be beneficial to change who has access to the
edit_configential_stuff, smart money would be to put these three new
functions into a separate application module.
Consider: Would you *ever* grant someone access to the
"update_configential_stuff" run-mode, but *NOT* to the
"edit_configential_stuff_form"? How do they "update" without a form? Only
in the abstract does this even remotely make sense. These two functions are
clearly part of the same application.
OTOH: Would you ever grant someone access to "view_confidential_stuff", but
not "edit_configential_stuff_form"? Probably! This is a good yardstick to
use do determine the need to make separate applications.
Once these applications are separated in a logical fashion, access can be
granted to them intuitively. If you change your mind and want to give Tech
users access to the "Confidential Stuff Viewer" you can move the viewer into
a directory Tech users can access, or you can change the permissions
governing the directory in which the "Confidential Stuff Viewer" is located.
If "John" is promoted, and "Doug" is hired as the new tech, move John into
the Manager group, and assign Doug to the Tech group. It's that simple.
Although well beyond the scope of CGI::Application, once you get into
writing your authentication and authorization rules, you can do things even
more complex than working only at the directory level. There is no reason
you couldn't deal with individual files instead of directories, for
instance. (There may be good reasons, from an ease-of-management point of
view, to deal with directories -- but you don't *have* to.) This is a
separate topic, however, and one more appropriate to a discussion about
mod_perl (or whatever web server API you're using).
TTYL,
-Jesse-
Jesse Erlbaum, CTO
Vanguard Media
http://www.vm.com
212.242.5317 x115
[EMAIL PROTECTED]
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/[email protected]/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
