view release on metacpan or  search on metacpan

lib/App/Dochazka/REST/ACL.pm  view on Meta::CPAN

=head1 DESCRIPTION

This module provides helper code for ACL checks.

=cut




=head1 EXPORTS

=cut

use Exporter qw( import );
our @EXPORT_OK = qw( 
    check_acl 
    check_acl_context 
    acl_check_is_me 
    acl_check_is_my_report
    acl_check_iid_lid
);



=head1 PACKAGE VARIABLES

The 'check_acl' routine uses a hash to look up which privlevels 
satisfy a given ACL profile.

=cut

my %acl_lookup = (
    'admin' => { 'passerby' => '', 'inactive' => '', 'active' => '', 'admin' => '' },
    'active' => { 'passerby' => '', 'inactive' => '', 'active' => '' },
    'inactive' => { 'passerby' => '', 'inactive' => '' },
    'passerby' => { 'passerby' => '', },
);




=head1 FUNCTIONS

=head2 check_acl

Takes a PARAMHASH with two properties: C<profile> and C<privlevel>. Their
values are assumed to be the ACL profile of a resource and the privlevel of an
employee, respectively. The function returns a true or false value indicating
whether that employee satisfies the given ACL profile.

In addition to the usual privlevels, the C<profile> property can be
'forbidden', in which case the function returns false for all possible values
of C<privlevel>.

=cut

sub check_acl {
    my ( %ARGS ) = validate( @_, {
        profile => { type => SCALAR, regex => qr/^(passerby)|(inactive)|(active)|(admin)|(forbidden)$/ }, 
        privlevel => { type => SCALAR, regex => qr/^(passerby)|(inactive)|(active)|(admin)$/ }, 
    } );
    return exists( $acl_lookup{$ARGS{privlevel}}->{$ARGS{profile}} )
        ? 1
        : 0;
}


=head2 check_acl_context

Check ACL and compare with eid in request body. This routine is designed
for resources that have an ACL profile of 'active'. If the request body
contains an 'eid' property, it is checked against the current user's EID.  If
they are different and the current user's priv is 'active',
DOCHAZKA_FORBIDDEN_403 is returned; otherwise, an OK status is returned to
signify that the check passed.

If the request body does not contain an 'eid' property, it is added.

=cut

sub check_acl_context {
    my $context = shift;
    my $current_eid = $context->{'current'}->{'eid'};
    my $current_priv = $context->{'current_priv'};
    if ( $current_priv eq 'passerby' or $current_priv eq 'inactive' ) {
        return $CELL->status_err( 'DOCHAZKA_FORBIDDEN_403' );
    }
    if ( $context->{'request_entity'}->{'eid'} ) {
        my $desired_eid = $context->{'request_entity'}->{'eid'};
        if ( $desired_eid != $current_eid ) {
            return $CELL->status_err( 'DOCHAZKA_FORBIDDEN_403' ) if $current_priv eq 'active';
        }
    } else {
        $context->{'request_entity'}->{'eid'} = $current_eid;
    }
    return $CELL->status_ok('DOCHAZKA_ACL_CHECK');
}


=head2 acl_check_is_me

Takes a property and a value. The property can be 'eid', 'nick', or 'sec_id'.
This routine checks the eid/nick/sec_id against C<< $self->context->{'current_obj'} >>
(the current employee object) and returns a boolean value answering the
question "is this me?"

=cut

sub acl_check_is_me {
    my $self = shift;
    my %pl = @_;
    $log->debug( "Entering " . __PACKAGE__ . "::acl_check_is_me with " . Dumper( \%pl ) );

    my $ce = $self->context->{'current_obj'};
    my $priv = $self->context->{'current_priv'};

    return 1 if $priv eq 'admin';