Hello everyone,
First, some background. I'm currently planning out my own Authorization module (mod_resource_authz) which allows a webmaster to deny or grant access to a resource based on the method used. It simply acts as a provider to other modules which implement the reading of a resource metadata to determine if the user is allowed access to the resource. The module creates a table consisting of allowed methods which are merged together from a list of allowed methods by user type. For example: World Permissions: GET Group Permissions: GET PUT Owner Permissions: GET PUT POST DELETE If the Username is the same as the resources owner name, then the Owner permissions are merged with the world permissions to create a table of allowed permissions. Authorization is granted if the request method is an entry in the allowed methods table. As I say, the module will act as a provider delegating the collection of resource metadata (via directives in htaccess files, .meta files or DBD). All seems fine so far on paper, and nothing too complicated. My problem comes from attempting to determine if the user is a member of a specific group. If been looking around, and it doesn't appear that the user group membership lookups have been separated out from their individual modules. For example, mod_authz_groupfile doesn't provide an interface my module can use to lookup if a user is a member of a group. Neither does mod_authz_dbm, etc; All these modules do is provide authorization is a user is simply a member of a group. Does anyone have any suggestions, or am I best implementing a separate provider hook in my module that delegate group membership lookups to other modules (e.g. mod_resource_authz_grplkup_file, mod_resource_authz_grplkup_dbm, mod_resource_authz_grplkup_dbd). A simple interface would suffice, e.g. provide the username, returns an array of groups the user is a member of. Has anyone else come across a similar situation, and if so, do you have any suggestions? Does anyone eles ehave any suggestions or improvement on the approach I am taking to this problem? Thanks for your time. Cheers, Ben Davies
