Bug #17478 for CGI-Application-Plugin-Authorization: PATCH: improved docs

Sat Feb 04 08:22:14 2006 Guest - Ticket created

Subject:

PATCH: improved docs

Attached is a mostly doc patch I submitted in November. I'm posting it here for easier reference by Cees and to make it visible to others until it becomes merged. Mark

Subject:

authorization.patch

Tue Nov 15 10:28:54 EST 2005 Mark Stosberg <mark@summersault.com> * fix delegate class Mon Nov 14 17:23:50 EST 2005 Mark Stosberg <mark@summersault.com> * de-mystify somethings by removing prerun_callback and explaining about authz_forbidden being added diff -rN -u old-CGI-Application-Plugin-Authorization-0.02/lib/CGI/Application/Plugin/Authorization/Driver/DBI.pm new-CGI-Application-Plugin-Authorization-0.02/lib/CGI/Application/Plugin/Authorization/Driver/DBI.pm --- old-CGI-Application-Plugin-Authorization-0.02/lib/CGI/Application/Plugin/Authorization/Driver/DBI.pm 2006-02-04 08:17:12.000000000 -0500 +++ new-CGI-Application-Plugin-Authorization-0.02/lib/CGI/Application/Plugin/Authorization/Driver/DBI.pm 2006-02-04 08:17:13.000000000 -0500 @@ -18,7 +18,6 @@ # Simple task based authentication __PACKAGE__->authz->config( DRIVER => [ 'DBI', - DBH => $self->dbh, TABLES => ['account', 'task'], JOIN_ON => 'account.id = task.accountid', USERNAME => 'account.name', @@ -39,6 +38,11 @@ You can either provide an active database handle, or provide the parameters necesary to connect to the database. +=head2 DBH + +The DBI database handle to use. Defaults to C<$self->dbh()>, which is provided and configured +through L<CGI::Application::Plugin::DBH|CGI::Application::Plugin::DBH> + When describing the database structure you have two options: =over 4 @@ -151,7 +155,7 @@ # Simple task based authentication __PACKAGE__->authz->config( DRIVER => [ 'DBI', - DBH => $self->dbh, + # the handle comes from $self->dbh, via the "DBH" plugin. TABLES => ['account', 'task'], JOIN_ON => 'account.id = task.accountid', USERNAME => 'account.name', @@ -168,7 +172,6 @@ # IP address configuration __PACKAGE__->authz('byIP')->config( DRIVER => [ 'DBI', - DBH => $self->dbh, SQL => 'SELECT count(*) FROM account JOIN ip ON (account.id = ip.accountid) WHERE account.name = ? @@ -184,7 +187,6 @@ # IP address configuration __PACKAGE__->authz->config( DRIVER => [ 'DBI', - DBH => $self->dbh, SQL => 'SELECT count(*) FROM account JOIN ip ON (account.id = ip.accountid) @@ -223,20 +225,15 @@ # Get a database handle either one that is given to us, or connect using # the information given in the configuration + # Get a database handle either one that is given to us, or connect using the + # information given in the configuration my $dbh; if ( $options{DBH} ) { $dbh = $options{DBH}; - } - elsif ( $options{DSN} ) { - no warnings qw(uninitialized); - $dbh = DBI->connect( - $options{DSN}, $options{DB_USER}, - $options{DB_PASSWORD}, $options{DBI_OPTIONS} - ) - or die $DBI::errstr; - } - else { - die "No DBH or DSN parameter passed to the DBI Driver"; + } elsif ( $self->authen->_cgiapp->can('dbh') ) { + $dbh = $self->authen->_cgiapp->dbh; + } else { + die "No DBH or passed to the DBI Driver, and no dbh() method detected"; } # See if the user provided an SQL option diff -rN -u old-CGI-Application-Plugin-Authorization-0.02/lib/CGI/Application/Plugin/Authorization.pm new-CGI-Application-Plugin-Authorization-0.02/lib/CGI/Application/Plugin/Authorization.pm --- old-CGI-Application-Plugin-Authorization-0.02/lib/CGI/Application/Plugin/Authorization.pm 2006-02-04 08:17:13.000000000 -0500 +++ new-CGI-Application-Plugin-Authorization-0.02/lib/CGI/Application/Plugin/Authorization.pm 2006-02-04 08:17:13.000000000 -0500 @@ -26,10 +26,10 @@ } elsif ( !UNIVERSAL::can( $callpkg, 'add_callback' ) ) { warn - "You are using an older version of CGI::Application that does not support callbacks, so the prerun method can not be registered automatically (Lookup the prerun_callback method in the docs for more info)"; + "You are using an older version of CGI::Application that does not support callbacks, so the prerun method can not be registered automatically (Lookup 'CGI::Application CALLBACKS' in the docs for more info)"; } else { - $callpkg->add_callback( prerun => \&prerun_callback ); + $callpkg->add_callback( prerun => \&setup_runmodes ); } } @@ -445,7 +445,7 @@ foreach my $driver_config (@$driver_configs) { my ( $drivername, @params ) = @$driver_config; # Load the the class for this driver - my $driver_class = _find_deligate_class( + my $driver_class = _find_delegate_class( 'CGI::Application::Plugin::Authorization::Driver::' . $drivername, $drivername ) @@ -475,44 +475,32 @@ =head2 setup_runmodes -This method is called during the prerun stage to register some custom -runmodes that the Authorization plugin requires in order to function. +This CGI::App method is called during the prerun stage to register the "authz_forbidden" method +that the Authorization plugin requires in order to function. =cut sub setup_runmodes { my $self = shift; - my $config = $self->_config; - - $self->cgiapp->run_modes( authz_forbidden => \&authz_forbidden, ); + $self->run_modes( authz_forbidden => \&authz_forbidden, ); return; } =head1 CGI::Application CALLBACKS -=head2 prerun_callback +We'll automatically add the C<authz_forbidden> run mode if you are using +CGI::Application 4.0 or greater. -This method is a CGI::Application prerun callback that will be automatically -registered for you if you are using CGI::Application 4.0 or greater. If you -are using an older version of CGI::Application you will have to create your own -cgiapp_prerun method and make sure you call this method from there. +If you are using an older version of CGI::Application you will need to add it yourself. sub cgiapp_prerun { my $self = shift; - $self->CGI::Application::Plugin::Authorization::prerun_callback(); + $self->run_modes( authz_forbidden => \&CGI::Application::Plugin::Authorization::authz_forbidden, ); } =cut -sub prerun_callback { - my $self = shift; - my $authz = $self->authz; - - # setup the default login and logout runmodes - $authz->setup_runmodes; -} - =head2 forbidden This will return a forbidden page. It checks the configuration to see if there @@ -571,7 +559,7 @@ ### Helper methods ### -sub _find_deligate_class { +sub _find_delegate_class { foreach my $class (@_) { $class->require && return $class; }

Sat Feb 04 08:53:08 2006 Guest - Correspondence added

From:

mark [...] summersault.com

Here's a doc improvement for the generic driver. While we're getting the new URL code setup for SVN, maybe this module should be put in public SVN, too.

Sat Feb 4 08:48:33 EST 2006 Mark Stosberg <mark@summersault.com> * remove cryptic $_[0] in docs and related doc updates diff -rN -u old-mark/perllib/CGI/Application/Plugin/Authorization/Driver/Generic.pm new-mark-2/perllib/CGI/Application/Plugin/Authorization/Driver/Generic.pm --- old-mark/perllib/CGI/Application/Plugin/Authorization/Driver/Generic.pm 2006-02-04 08:49:57.000000000 -0500 +++ new-mark-2/perllib/CGI/Application/Plugin/Authorization/Driver/Generic.pm 2006-02-04 08:48:00.000000000 -0500 @@ -20,8 +20,12 @@ testuser => 'testgroup', ); + # See docs for authorize_user below for an explanation __PACKAGE__->authz->config( - DRIVER => [ 'Generic', sub { return $groupmap{$_[0]} eq $_[1] ? 1 : 0 } ], + DRIVER => [ 'Generic', sub { + my ($username,$group) = @_; + return ($groupmap{$username} eq $group); + } ], ); @@ -29,8 +33,11 @@ =head2 authorize_user -This method accepts a username followed by a list of group names and will return -true if the user belongs to at least one of the groups. +This method accepts a username followed by a list of group names and will +return true if the user belongs to at least one of the groups. + +It does this by passing calling the provided callback with the username and a +single group until a match is found. =cut

Sat Feb 04 08:53:10 2006 The RT System itself - Status changed from 'new' to 'open'

Sat Feb 04 09:09:50 2006 Guest - Correspondence added

From:

mark [...] summersault.com

Here's another doc typo micro patch. I'll hope the wrapping doesn't kill it. --- old-mark/perllib/CGI/Application/Plugin/Authorization.pm 2006-02-04 09:07:08.000000000 -0500 +++ new-mark-2/perllib/CGI/Application/Plugin/Authorization.pm 2006-02-04 09:06:40.000000000 -0500 @@ -226,7 +226,7 @@ you use the Authentication plugin, or if your authentication system sets $ENV{REMOTE_USER}. - GET_USERNAME => sub { my $authz = shift; return $self->cgiapp->my_username } + GET_USERNAME => sub { my $authz = shift; return $authz->cgiapp->my_username }

Sat Feb 04 09:55:36 2006 Guest - Correspondence added

Subject:	PATCH: improved docs (currently logged)
From:	mark [...] summersault.com

And here's another doc patch, about "username"

Sat Feb 4 09:43:42 EST 2006 Mark Stosberg <mark@summersault.com> * more doc improvements: mostly clarifying how "currently logged in user" is calculated diff -rN -u old-mark/perllib/CGI/Application/Plugin/Authorization/Driver.pm new-mark-2/perllib/CGI/Application/Plugin/Authorization/Driver.pm --- old-mark/perllib/CGI/Application/Plugin/Authorization/Driver.pm 2006-02-04 09:53:13.000000000 -0500 +++ new-mark-2/perllib/CGI/Application/Plugin/Authorization/Driver.pm 2006-02-04 09:43:22.000000000 -0500 @@ -116,7 +116,8 @@ =head2 username -This will return the name of the current logged in user. +This will return the name of the current logged in user by calling +the C<username> method documented in L<CGI::Application::Plugin::Authorization>. =cut @@ -128,8 +129,11 @@ =head2 authorize -This method will verify that the currently logged in user passes the authorization checks -based on the given parameters. + # User must be in the admin group to have access to this runmode + return $self->authz->forbidden unless $self->authz->authorize('admin'); + +This method will verify that the currently logged in user (as found through L<username>) +passes the authorization checks based on the given parameters, usually a list of groups. =cut

Sun Feb 05 15:20:36 2006 cees-perl [...] crtconsulting.ca - Status changed from 'open' to 'resolved'