Re: [cgiapp] Re: user authentication / rights management

["Cees Hek" <suppressed>]

On 2/18/06, Mark Stosberg <suppressed> wrote:
> On 2006-02-17, Michael Graham <suppressed> wrote:
> > Side note:  it's important to note that in this discussion, we're only
> > addressing controller-oriented security.  Data-oriented security (i.e.
> > which particular users have access to which particular blog posts) is
> > something else entirely (IMO).
>
> Agreed. For example, if some users pay an extra fee they have access to
> a specific feature. This might not be represented well by calling people
> with this a right a group, because of the exponential and dynamic
> number of possible user-to-paid-feature mappings.
>
> For that I envision an additional check that happens within the runmode,
> but I haven't tackled it yet.
>
> However, I think Cees had in mind just this kind of thing when he
> created the Authorization system, which supports a syntax like this:

I did have that in mind, although I think it ends up making things
more difficult to grok, since I can't just talk about 'groups' in the
docs (which after all is what 95% of the users will end up using).

> # Has the user paid for this feature?
> unless ( $self->authz('paid_features')->authorize('ad_removal')) {
>    $t->param( $self->ad_tokens );
> }

That is a very nice example!

> I've posted the code for my "Auth By Group" stuff here:
> http://mark.stosberg.com/perl/AuthByGroup.pm
>
> I wrote it as its own plugin, but I think these functions are
> appropriate to include in the Authorization plugin.

I agree.  What I really need is to sit down with some people and
brainstorm some of this stuff.  I kind of have an idea in my head of
how it all should work, but it isn't crystal clear, and that is
holding me back (as well as the usual time constraints).

> And so we aren't working on Authen/Authz stuff in a vacuum, I'll point
> out a related release on CPAN that seems interesting.
>
> chansen, a Catalyst contributor has published "Authen::Simple" with a
> lot of backends. On the first look the design looks nice and clean.

I am planning to add direct support for these authentication modules
to the Authen plugin.  So you can use them like this:

MyCGIApp->authen->config(
       DRIVER => [ 'Authen::Simple::SMTP', { host => 'smtp.company.com' } ],
 );

The API for Authen::Simple is not that different from the Drivers in
the Authen plugin, so this will not be a difficult task to integrate
the two.

Cheers,

Cees

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed