We use a two stage system, Access and a combination
Authentication/Authorization stage.
When the user attempts to access a page a mod_perl Access handler checks
for a cookie (we think it's pretty secure :) showing they have been
previously authenticated. If not, they are sent off to an Authentication
handler which authenticates them, and, if that was successful, looks up
their permissions from a database and stores them on disk using
Apache::Session::File. The data is stored (everywhere) in a
object.attribute=perm_level structure.
When the user *is* authenticated the Access handler slurps up the perms
from disk and stuffs them in the pnotes table in a hashref, which can then
be checked by the modules that display data, allowing them to decide
whether to show data read only, read-write, or not at all.
It's very nifty. To give props where due, it is partially based on the
Ticket Access stuff from the book (for the cookie access stuff) and
contains code by Jeff Baker (the storage stuff).
If there is a fair amount of interest I can genericize it and whack it
into CPAN ...
Nick
On Thu, 27 Apr 2000, Michael Nachbaur wrote:
> I have a question. I'm working on a project that requires not only file-by-file
>authentication and authorization, but task-by-task authorization within a file (for
>instance...read access, but not write). Basically, I'd like to have a database table
>define permissions (which can be associated with groups and users), and what type of
>permission it is: file-level, or task-level (or external/internal). Then, provide
>methods that a perl program can use to ask "Am I able to do this?".
>
> Is there something out there that does this? I'm planning on writing a module to
>handle this, so if theres something that I can start with, that would help things out
>a lot. Also, if anyone wants anything similar to this, let me know what features
>you'd like, and I'll see if I can integrate 'em into my requirements.
>
> I'm also thinking of doing something similar for authentication (because I'd like to
>have a login screen in HTML, instead of having that HTTP popup login window.).
>Anything out there that does this?
>
> If this is a case of RTFM, could someone point me to where I can learn more about
>this?
>
> Thanks a bunch,
> -MN
>
- nick
