Apache-SiteControl
view release on metacpan or search on metacpan
Comments on Rules
How would you make a system that allows everything, unless something is
specifically denied?
Have a GrantAll rule that always grants permission.
Add rules that never grant, but deny on specific cases.
How to make a system that denies everything except things that have been
checked out:
Write rules that grant on your specific cases. The default is to deny
permission if no rules have anything else to say about the request.
A rule can take several approaches:
Relative rule: It grants but never denies. Or it denies, but never grants.
Absolute rule: If it grants, then it does not deny. If it does not grant, then
it denies.
Read the manual pages for more information.
lib/Apache/SiteControl.pm view on Meta::CPAN
=head1 DESCRIPTION
Apache::SiteControl is a set of perl object-oriented classes that
implement a fine-grained security control system for a web-based application.
The intent is to provide a clear, easy-to-integrate system that does not
require the policies to be written into your application components. It
attempts to separate the concerns of how to show and manipulate data from the
concerns of who is allowed to view and manipulate data and why.
For example, say your web application is written in HTML::Mason. Your
individual "screens" are composed of Mason modules, and you would like to keep
those as clean as possible, but decisions have to be made about what to allow
as the component is processed. SiteControl attempts to make that as easy as
possible.
=head2 DEVELOPER'S VIEWPOINT - EXAMPLE
In this document we use HTML::Mason to create examples of how to use the
control mechanisms, but any mod_perl based system should be supportable.
lib/Apache/SiteControl.pm view on Meta::CPAN
Most rules with either specifically grant permission, or deny it. Most will not
deal with both possibilities. In this example we are assuming that the user is
implemented as an object that has attributes which can be retrieved with a
getAttribute method (of course, you would have to have implemented that as
well). The basic action that this rule handles is called "beat up", so the site
makes calls like:
if($referee->can($userA, "beat up", $userB)) { ... }
In terms of English, we would describe the rule "If A is taller than B, then
we say that A can beat up B. If A is less skilled than B, then we say that
A cannot beat up B". The rule looks like this:
package samples::FightRules;
use strict;
use warnings;
use Carp;
use Apache::SiteControl::Rule;
use base qw(Apache::SiteControl::Rule);
lib/Apache/SiteControl/PermissionManager.pm view on Meta::CPAN
if($manager->can($user, "view salary", $payrollRecord))
{
# show salary fields
} else
# hide salary fields
}
=item B<5.> Create rules that spell out the behavior you want and add them to
your application's permission manager. The basic idea is that a rule can grant
permission, or deny it. If it neither grants or denies, then the manager will
take the safe route and say that the action cannot be taken. Part of the code
for the rule for protecting salaries might look like:
package SalaryViewRule;
use Apache::SiteControl::Rule;
use Apache::SiteControl::User;
use base qw(Apache::SiteControl::Rule);
sub grants
( run in 0.681 second using v1.01-cache-2.11-cpan-d7a12ab2c7f )