Greetings, all. I've been working with CApp for a while, and I really like it.
I have some questions regarding best practices when implementing role based access control (RBAC). I have been playing with CApp::Authentication and Authorization, and they both do basically what I need. Here's the skeleton I came up with - https://gist.github.com/33d23edf8fa2c0f48dc0 My question is really, what's the best way to go about separating functionality in a CApp based application? A practical case I am looking at right now is that I have form that is used to manage user data. There are 3 roles - User, Manager, and Admin. Each one has the types of permissions you'd expect (User can manage himself, Manager can manage his Users, Admin can do anything). I was thinking of the best way to build this form and control actions cleanly and compose this form using 3 different runmodes that are increasingly restrictive. For example, the User form calls the "user" runmode, and returns the form content. The "manager" runmode takes the output of "user" and adds some stuff to it. The "admin" runmode might take the result of the "manager" runmode - which would also include what the "user" runmode provides...and so on. Ultimately, my goal is to get away from nasty frog boiling "if" blocks controlling authorization and rely on composable functions (i.e., runmodes or modules) that will cleanly give me what I would like using the runmode level protection that CApp::Authorization provides you. I've searched around and banged my head against this pretty hard, so any thoughts or resources would be appreciated. For all I know, this might be a bad idea. But I am really just looking for the best way to create an access controlled system as cleanly as possible. Thank you, Brett ps: I noticed that even if POST_LOGIN_RUNMODE is protected via CApp::Authentication, the check seems to be ignored immediately after login. I am not sure if this is a known issue or that there are some callbacks happening in the wrong order. This will happen in the gist I linked above. ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################