On Thu, 27 Feb 2003, Jean-Michel Hiver wrote:
> Hi List,
>
> In theory Authentication / Authorization handlers are very cool, because
> the application underneath it doesn't need to know the logic of it, and
> as long as you design web applications with nice, RESTful, sensible URIs
> it would all work beautifully.
>
> BUT, I cannot figure out how to 'ask' apache wether a request would
> succeed or not. I'm wondering wether there would be a way to do:
>
> my $ok = $r->would_be_authorized ($uri);
>
> # or
> my $ok = $r->would_be_authorized ($uri, 'GET');
>
> # or
> my $ok = $r->would_be_authorized ($uri, 'POST', $fh);
>
>
> This would be handy because for example in your web application you
> might want certain controls or links to be replaced by proper messages
> rather than directing the user to a location that he/she doesn't have
> access to.
>
> If I missed something obvious please point out a URI so that I can RTFM!
> All ideas appreciated!
Salut,
I think this may be solved by architecture. If you have an Authz layer
maybe it needs to be called sooner than right when you need it.
I have a Session-based auth system. When the user successfully
authenticates the Auth handler does a lookup in a db where we store all
users' authz information. The db has an access level for each user for
each widget in the application. These are all loaded into a hashref and
stored in the serverside session. An encrypted cookie has the key to the
session.
All of this is tied into the UI such that the user's authz level
determines the content they see. Data such as '$student->first_name' are
displayed by a UI handler according to perms; the UI's methods can write
out either:
"First Name: $val" or
"First Name: <input type='text' name ='first_name' val='$val'>" or
whatever, depending on the user's perms.
HTH,
- nick
--
~~~~~~~~~~~~~~~~~~~~
Nick Tonkin {|8^)>
