Re: [Maypole] Re: role based authentication

From: Dave Howorth (Dave.Howorth at acm.org)
Date: Wed Jan 12 2005 - 21:38:47 GMT


Matt Adams wrote:
> i) A modified version of Maypole::Plugin::Authenticate::Abstract
> determines the users "role" upon login (based on information in the
> database).

A user can have several roles. Suppose the database contains sensitive
data - corporate budgets would be a good example. Then users who have
role admin shouldn't be able to look at the financial tables, whilst
users who have role manager shouldn't be able to look at the user table.
But the tech support manager may be entitled to do both and his
permissions need to be checked against both roles. (OK, in more serious
situations, audit rules would prevent any user having both an admin and
a line role at the same time ... )

> Dave Howorth's plugin Maypole::Plugin::Authorization also has some good
> concepts in it too (if you want to go the route of storing your
> authorization information in a database).

I'm not wedded to the idea of using the database. It struck me as a good
idea for a first cut for a couple of reasons:
a) it doesn't introduce another storage concept and another set of
modules for me and subsequent maintainers to learn;
b) Maypole provides an instant GUI for admin for free, as do the MySQL
GUI tools;

My main worry is whether there'll be performance issues, but I'll deal
with those when they crop up. I could see some benefits to using another
repository, perhaps LDAP, or benefits of simplicity from using simple
files if you're prepared to use vi/emacs/whatever as the admin
interface. I don't think I'd personally use XML because of the
performance and memory footprint penalty versus something like YAML, but
it's cool if it fits with other aspects of your project.

Cheers, Dave

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.10 - Release Date: 10/01/05

_______________________________________________ maypole mailing list maypole at lists.netthink.co.uk http://lists.netthink.co.uk/listinfo/maypole



This archive was generated by hypermail 2.1.3 : Thu Feb 24 2005 - 22:25:57 GMT