On 6/21/05, Michael Graham <suppressed> wrote:
>
>
> One of the things we've been investigating is switching to Cees's
> prototype Auth plugin - cross porting the features from both auth
> systems into each other and ending up with a single CAP::Auth plugin.
>
> Cees's Auth plugin allows for runmode level authorization as well as
> just basic authentication. You can set it up so that anyone can view
> runmode_a, but only "managers" can view runmode_x.
Coming at this from a Catalyst perspective, I like the way
Catalyst::Plugin::Authorization::CDBI (
http://search.cpan.org/~mramberg/Catalyst-Plugin-Authentication-CDBI-0.06/CDBI.pm)
does it. You have a user, role, and user_role table. The authorization looks
at the user only. When you want to do role-based auth, you call
$c->roles('required_role') which returns bolean. I imagine it would be
pretty easy to have a standard method, say ${rm}_role(), which would return
a list of role(s) required for the given runmode. If this method doesn't
exist, the runmode is wide open. If the method is defined, the auth system
would take the role(s) required for the runmode, query your user object for
the roles it has defined, and see if the two match. If so, then the user is
allowed in. Is this clear?
sub rm_foo { return "This is FOO" }
sub rm_roles { return ('manager') }
sub _caf_auth {
my $self = shift;
my $role_method = $rm.'_roles';
my $user = $self->get_user_object.
if ($self->can($role_method)) {
my @roles = $self->$role_method();
unless ($user->has_role(@roles)) {
$self->current_runmode('noauth');
}
}
}
--
----------------------------------------------------------------
Drew Taylor * Web development & consulting
Email: suppressed * Site implementation & hosting
Web : www.drewtaylor.com <http://www.drewtaylor.com> *
perl/mod_perl/DBI/mysql/postgres
----------------------------------------------------------------
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.