I've subclassed
Apache::AuthTicket with a 'Require group xxxx' authorization handler, since
neither AuthTicket nor AuthCookie included it (though AuthCookie does have the
hooks for it which I took advantage of).
I also added a
'Require not yyyy xxxx' hander. I wanted to be able to exclude one or two authenticated
users (like guest) from certain areas while still being able to 'Require
valid-user'. Much easier than having to remember to add every
authenticated use to a group when I only want to exclude one or two users.
If AuthCookie ever changes from requiring all check to pass to just a single
check, this will break. (See Apache::AuthCookie authorize() section for
comments on ALL vs. ANY.)
Example:
Require not group
xxxx
Require not user
xxxx
Also, I had to
implement my own 'user' authorization method since
Apache::AuthCookie embeds it directly into the main authorization
method. My method only gets called by the 'not' method
when applicable. I could have just put the code directly in the not
method, but then anyone subclassing my module would have the same
problem...
Feel free to
do whatever you want with the code... Comment/criticism welcome - especially on
the init method. I'll post to CPAN if anyone thinks it's worth
it. I'd gladly accept integrating
this directly into AuthTicket if the maintainer wishes (Michael Schout?).
I'm not crazy about the name, but it has to be called something - suggestions
welcome.
Thanks,
Jim
---snip---
package
Apache::AuthTicketPlus;
use
strict;
use vars qw($VERSION
@ISA %DEFAULTS);
use
Apache::Constants qw(FORBIDDEN OK);
use Apache::AuthTicket qw();
use Apache::AuthTicket qw();
@ISA =
qw(Apache::AuthTicket);
$VERSION =
'0.01';
$DEFAULTS{TicketGroupTable} =
'groups:grpname:usrname';
sub init {
my ($self, $r) = @_;
$self->SUPER::init($r);
$self->SUPER::init($r);
map {
$self->{$_} = $self->_get_config_item($r, $_);
} keys %DEFAULTS;
$self->{$_} = $self->_get_config_item($r, $_);
} keys %DEFAULTS;
}
sub not {
my ($self, $r, $args) = @_;
$self = $self->new($r) unless ref $self;
$self = $self->new($r) unless ref $self;
my ($requirement, $sub_args) = split(/\s+/, $args,
2);
my $rv = $self->$requirement($r, $sub_args);
return ($rv == OK) ? FORBIDDEN : OK;
}
sub user {
my ($self, $r, $args) = @_;
$self = $self->new($r) unless ref $self;
$self = $self->new($r) unless ref $self;
my $user =
$r->connection->user;
my $req_user = (split /\s+/,$args)[0];
my $req_user = (split /\s+/,$args)[0];
return ($user eq $req_user) ? OK : FORBIDDEN;
}
sub group {
my ($self, $r, $args) = @_;
$self = $self->new($r) unless ref $self;
$self = $self->new($r) unless ref $self;
my $group = (split /\s+/,
$args)[0];
my $user = $r->connection->user;
my $user = $r->connection->user;
my $dbh = $self->dbh;
my ($_table,$_group,$_user) = split(/:/, $self->{TicketGroupTable});
my $query = qq{
SELECT COUNT(*) FROM $_table
WHERE $_group = ? AND $_user = ?
};
my ($_table,$_group,$_user) = split(/:/, $self->{TicketGroupTable});
my $query = qq{
SELECT COUNT(*) FROM $_table
WHERE $_group = ? AND $_user = ?
};
my $rows = 0;
eval {
my $sth = $dbh->prepare($query);
$sth->execute($group,$user);
$sth->bind_columns(\$rows);
$sth->fetch;
};
if ($@) {
$dbh->rollback;
die $@;
}
my $sth = $dbh->prepare($query);
$sth->execute($group,$user);
$sth->bind_columns(\$rows);
$sth->fetch;
};
if ($@) {
$dbh->rollback;
die $@;
}
return $rows ? OK : FORBIDDEN ;
}
}
1;
