On 2006-02-16, Michael Graham <suppressed> wrote:
>
> <Location /user-area>
> auth_protected = 1
> auth_groups = user admin
> </Location>
>
> <Location /customer-area>
> auth_protected = 1
> auth_groups = user customer admin
> </Location>
>
> <Location /admin-area>
> auth_protected = 1
> auth_groups = admin
> </Location>
I used to design my authorization like that, but I don't recommend it
anymore. I explain more about why in this blog post:
http://www.summersault.com/community/weblog/2006/02/04/access-in-urls-considered-harmful.html
I sent Cees a patch to the Authorization plugin which adds several
methods to help with group-based authorization.
With those, I can easily declare:
"All the run modes accessed through this module are accessible only to
these groups".
And they I can override those general rules with exceptions for specific
run modes.
It's easy to use, and the conversion process actually brought out a
weakness in the old scheme. With access in URLs, it was easy
psychologically to think "Oh, I'm in /user, everything accessible from
under here must suitable users". The reality was that because of shared
modules, sometimes too much could be exported.
I'd tricked myself into believing that the design was easier to secure
and test. The reality I found was both authorization schemes needed
careful review and testing.
Mark
--
http://mark.stosberg.com/
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.