The Perl Toolchain Summit needs more sponsors. If your company depends on Perl, please support this very important event.
 / 
Scaffold-0.10
River stage zero No dependents
++
/ Scaffold::Uaf::Authorize

NAME

Scaffold::Uaf::Authorize - An abstract base class to use as a pattern for your AuthorizeFactory.

SYNOPSIS

This package is a simple abstract base class. Use it as the base for creating your instance of an Authorize object.

     package MyAuthorize;

 use strict;
 use warnings;

 use XYZRule;
 use SomeOtherRule;
 use base qw(Scaffold::Uaf::Authorize);

 sub rules {
    my $self = shift;

    $self->add_rule(XYZRule->new());
    $self->add_rule(SomeOtherRule->new());

 }

 1;

Then later in the main line code.

     my $manager = $self->scaffold->authz;

 if ($manager->xcan($user, "read", "/etc/shadow")) {
    open DATA, "</etc/shadow";
     ...
 }

DESCRIPTION

This module implements an authorization scheme. The basic idea is that you have a set of users and a set of objects that can be accessed within a system. In the code of the system itself, you want to surround sensitive operations with code that determines if the current user is allowed to do that operation.

This module attempts to make such a system possible. The module requires that you write implementations rules for your system that are subclasses of Scaffold::Uaf::Rule. The rules can be written to use any data types, which are abstractly known as "users", "actions", and "resources."

    A user is generally a Scaffold::Uaf::User object that your applications has identify as the entity operating the application.

    An action can be any data type (i.e. simply a string). It is really up to the rule to determine what is valid. But, you have the latitude to define anything as a action.

    A resource can be any data type (i.e simply a string). But, it is really up to the rule to determine what a resource is. Again, you have the latitude to define anything as a resource.

These are the steps needed to create an Authorize object:

Step 1

Decide what sections of your code will need to be protected, and decide what to do if the user doesn't have access. For example if a screen should just hide fields, then the application code needs to reflect that.

Step 2
 Create an Authorize object for your application.
Step 3

Surround sensitive sections of code with something like:

 if ($manager->can($user, "view salary", $payrollRecord)) {

     # show salary fields

 } else {

     # hide salary fields

 }
Step 4

Create rules that spell out the behavior you want and add them to your application's Authorization object. The basic idea is that a rule can grant permission, or deny it. If it neither grants or denies, then the object will take the safe route and say that the action cannot be taken. Part of the code for the rule for protecting salaries might look like:

 package SalaryViewRule;

 use Scaffold::Uaf::User;
 use base qw(Scaffold::Uaf::Rule);

 sub grants {

     $self = shift;
     $user = shift;
     $action = shift;
     $resource = shift;

     # Do not grant on requests we don't understand.

     return 0 if (!$user->isa("Scaffold::Uaf::User") ||
                  !$self->isa("Scaffold::Uaf::Rule"));

     if (($action eq "view salary") && 
         ($resource->isa("Payroll::Record"))) {

        if ($user->username() eq $resource->getEmployeeName()) {

           return "user can view their own salary";

        }

     }

     return 0;

 }

Then in your subclass of AuthorizeFactory:

 use SalaryViewRule;

   ...

 $viewRule = new SalaryViewRule;
 $manager->add_rule($viewRule);

METHODS

new()

This method intializes the object.

xcan(user, action, resource)

This is the primary method of the Authorization object. It asks if the specified user can do the specified action on the specified resource.

Example:

     $manager->xcan($user, "eat", "cake");

This would return true if the user is allowed to eat cake.

add_rule(rule)

This method will add an new rule to the object.

Example:

     $authz->add_rule(MyRule->new());
rules()

This method should be overridden and your rules applied to the object. See the above examples for usage.

SEE ALSO

 Scaffold
 Scaffold::Base
 Scaffold::Cache
 Scaffold::Cache::FastMmap
 Scaffold::Cache::Manager
 Scaffold::Cache::Memcached
 Scaffold::Class
 Scaffold::Constants
 Scaffold::Engine
 Scaffold::Handler
 Scaffold::Handler::Default
 Scaffold::Handler::Favicon
 Scaffold::Handler::Robots
 Scaffold::Handler::Static
 Scaffold::Lockmgr
 Scaffold::Lockmgr::KeyedMutex
 Scaffold::Lockmgr::UnixMutex
 Scaffold::Plugins
 Scaffold::Render
 Scaffold::Render::Default
 Scaffold::Render::TT
 Scaffold::Routes
 Scaffold::Server
 Scaffold::Session::Manager
 Scaffold::Stash
 Scaffold::Stash::Controller
 Scaffold::Stash::Cookie
 Scaffold::Stash::Manager
 Scaffold::Stash::View
 Scaffold::Uaf::Authenticate
 Scaffold::Uaf::AuthorizeFactory
 Scaffold::Uaf::Authorize
 Scaffold::Uaf::GrantAllRule
 Scaffold::Uaf::Login
 Scaffold::Uaf::Logout
 Scaffold::Uaf::Manager
 Scaffold::Uaf::Rule
 Scaffold::Uaf::User
 Scaffold::Utils

AUTHOR

Kevin L. Esteb <kevin@kesteb.us>

COPYRIGHT AND LICENSE

Copyright (C) 2009 Kevin L. Esteb

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.6 or, at your option, any later version of Perl 5 you may have available.