I am currently developing a CGI groupware app in perl and hope that some of the enlightened monks can provide some suggestions/input.

The app is programmed in such a way that any of the programmers working on it can write a module and update an index in the main program to "plug" in. This in turn needs to check if the menu drawn for the current user will include a certain module (if the user has such permissions).

Currently what I have in mind is to model the whole thing after the UNIX permissions system. Declare each module in a DB lookup and have a byte that describes each users access to each part... ie:

0 = no access
4 = read access
5 = read access, execute access
6 = read access, write access
7 = read access, write access, execute access

Note: I've intentionally left out 1-3 since without read access the whole point to writing and executing would be lost.

As such maybe some explanation is required, read access means that the user can "fire up" the module, see what default information it provides but otherwise, any add, edit or execute functions would be disabled. Now any write functions will be available if the write flag is a turned on, the execute flag will make any option that sends this thing into any sort of operations loop such as "build site" - "rebuild database" etc.

Now, for implementation:
As such the app opens the user_registry database, and builds a hash from the permissions columns in the database and as such would look somewhat like this:

%permissions qw ( user_manager_mod => 0,
                  events_manager_mod => 4,
                  photo_manager_mod = > 7 );

[download]

Now the above is just an illustration, I never actually declare the hash, the app builds it itself.

All interface functions that draw windows, menus etc check the hash and draw according to the permissions provided.

Ok so now... Can any of you see any flaws with this design? This app requires to be secure and uses SSL for all operations, I have implemented sessions which hold any type of data from request to request and the permissions hash will be one of the pieces of data passed from request to request after login until the session ends.

Let me know if I've overkilled here or if I need to explain further.


Thanks!

BlackJudas

In reply to Implementing a Security System in a Groupware app. by blackjudas

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.