Don't know if this will help you, but, do you know Maypole? (http://maypole.perl.org). They have a Maypole::Plugin::Authorization which seems to do exactly what you want..
maybe you can get some inspiration from their code..