[Maypole] Re: role based authentication

From: Matt Adams (matt.adams at morcor.com)
Date: Wed Jan 12 2005 - 16:42:35 GMT


Hi:

Just to give you a heads up, Marcello, I've managed to do role based
authentication in a slightly different manner.

I've been working on a web application that includes the Maypole framework and a
whack of extensions. One of these framework extensions I've built revolves
around XML-based rule files that dictate how the Maypole framework is to
function at any given moment. I choose to use XML to store this information
because a) the relationships expressed in the XML file would add some twenty or
so new tables to our already large database, b) I need clients to be able to
alter the rules governing the web application and we don't want clients mucking
about in the database and c) they're great for rapid prototyping -- DB stuff
takes too much effort to maintain and so on.

Here's how it works:

i) A modified version of Maypole::Plugin::Authenticate::Abstract determines the
users "role" upon login (based on information in the database).

ii) A `screen rule' translates the usual /table/method URLs to more human
readable ones (such as /accounts/list, /accounts/add, /versions/list_awaiting
and so on).

iii) The global authenticate() method "looks" into a rule file that appears
something like this:

<authorization>
        <role name="SOME_ROLE">
                <collection name="default">
                        <action name="home" />
                </collection>
        </role>
        <role name="OTHER_ROLE">
                <collection name="default">
                        <action name="home" />
                </collection>
                <collection name="account">
                        <action name="preferences" />
                        <action name="do_edit" />
                </collection>
        </role>
</authorization>

and determines, based on the role whether or not the user has access to the
collection/action (which is roughly equivalent to the model_class/class_method
naming convention used by maypole).

Naturally this is approach only works if you have a small number of roles (say
less than 30 or so).

Dave Howorth's plugin Maypole::Plugin::Authorization also has some good concepts
in it too (if you want to go the route of storing your authorization information
in a database).

Cheers,

Matt

-- 
Matt Adams <matt.adams at morcor.com>
Development Specialist
Morcor Solutions Inc. <http://www.morcor.com/>
(613) 354-2912 x228

GnuPG public key at <http://staff.morcor.com/~madams/> Key fingerprint: BED5 B4F7 CCF5 D7B5 7C56 0505 9A0A A0FB C937 5975

_______________________________________________ maypole mailing list maypole at lists.netthink.co.uk http://lists.netthink.co.uk/listinfo/maypole



This archive was generated by hypermail 2.1.3 : Thu Feb 24 2005 - 22:25:57 GMT