Scaffold::Uaf::Authorize - An abstract base class to use as a pattern for your AuthorizeFactory.
This package is a simple abstract base class. Use it as the base for creating your instance of an Authorize object.
package MyAuthorize; use strict; use warnings; use XYZRule; use SomeOtherRule; use base qw(Scaffold::Uaf::Authorize); sub rules { my $self = shift; $self->add_rule(XYZRule->new()); $self->add_rule(SomeOtherRule->new()); } 1;
Then later in the main line code.
my $manager = $self->scaffold->authz; if ($manager->xcan($user, "read", "/etc/shadow")) { open DATA, "</etc/shadow"; ... }
This module implements an authorization scheme. The basic idea is that you have a set of users and a set of objects that can be accessed within a system. In the code of the system itself, you want to surround sensitive operations with code that determines if the current user is allowed to do that operation.
This module attempts to make such a system possible. The module requires that you write implementations rules for your system that are subclasses of Scaffold::Uaf::Rule. The rules can be written to use any data types, which are abstractly known as "users", "actions", and "resources."
A user is generally a Scaffold::Uaf::User object that your applications has identify as the entity operating the application.
An action can be any data type (i.e. simply a string). It is really up to the rule to determine what is valid. But, you have the latitude to define anything as a action.
A resource can be any data type (i.e simply a string). But, it is really up to the rule to determine what a resource is. Again, you have the latitude to define anything as a resource.
These are the steps needed to create an Authorize object:
Decide what sections of your code will need to be protected, and decide what to do if the user doesn't have access. For example if a screen should just hide fields, then the application code needs to reflect that.
Create an Authorize object for your application.
Surround sensitive sections of code with something like:
if ($manager->can($user, "view salary", $payrollRecord)) { # show salary fields } else { # hide salary fields }
Create rules that spell out the behavior you want and add them to your application's Authorization object. The basic idea is that a rule can grant permission, or deny it. If it neither grants or denies, then the object will take the safe route and say that the action cannot be taken. Part of the code for the rule for protecting salaries might look like:
package SalaryViewRule; use Scaffold::Uaf::User; use base qw(Scaffold::Uaf::Rule); sub grants { $self = shift; $user = shift; $action = shift; $resource = shift; # Do not grant on requests we don't understand. return 0 if (!$user->isa("Scaffold::Uaf::User") || !$self->isa("Scaffold::Uaf::Rule")); if (($action eq "view salary") && ($resource->isa("Payroll::Record"))) { if ($user->username() eq $resource->getEmployeeName()) { return "user can view their own salary"; } } return 0; }
Then in your subclass of AuthorizeFactory:
use SalaryViewRule; ... $viewRule = new SalaryViewRule; $manager->add_rule($viewRule);
This method intializes the object.
This is the primary method of the Authorization object. It asks if the specified user can do the specified action on the specified resource.
Example:
$manager->xcan($user, "eat", "cake");
This would return true if the user is allowed to eat cake.
This method will add an new rule to the object.
$authz->add_rule(MyRule->new());
This method should be overridden and your rules applied to the object. See the above examples for usage.
Scaffold Scaffold::Base Scaffold::Cache Scaffold::Cache::FastMmap Scaffold::Cache::Manager Scaffold::Cache::Memcached Scaffold::Class Scaffold::Constants Scaffold::Engine Scaffold::Handler Scaffold::Handler::Default Scaffold::Handler::Favicon Scaffold::Handler::Robots Scaffold::Handler::Static Scaffold::Lockmgr Scaffold::Lockmgr::KeyedMutex Scaffold::Lockmgr::UnixMutex Scaffold::Plugins Scaffold::Render Scaffold::Render::Default Scaffold::Render::TT Scaffold::Routes Scaffold::Server Scaffold::Session::Manager Scaffold::Stash Scaffold::Stash::Controller Scaffold::Stash::Cookie Scaffold::Stash::Manager Scaffold::Stash::View Scaffold::Uaf::Authenticate Scaffold::Uaf::AuthorizeFactory Scaffold::Uaf::Authorize Scaffold::Uaf::GrantAllRule Scaffold::Uaf::Login Scaffold::Uaf::Logout Scaffold::Uaf::Manager Scaffold::Uaf::Rule Scaffold::Uaf::User Scaffold::Utils
Kevin L. Esteb <kevin@kesteb.us>
Copyright (C) 2009 Kevin L. Esteb
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.6 or, at your option, any later version of Perl 5 you may have available.
To install Scaffold, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Scaffold
CPAN shell
perl -MCPAN -e shell install Scaffold
For more information on module installation, please visit the detailed CPAN module installation guide.