Implementing a Security System in a Groupware app.

blackjudas has asked for the wisdom of the Perl Monks concerning the following question:

I am currently developing a CGI groupware app in perl and hope that some of the enlightened monks can provide some suggestions/input.

The app is programmed in such a way that any of the programmers working on it can write a module and update an index in the main program to "plug" in. This in turn needs to check if the menu drawn for the current user will include a certain module (if the user has such permissions).

Currently what I have in mind is to model the whole thing after the UNIX permissions system. Declare each module in a DB lookup and have a byte that describes each users access to each part... ie:

0 = no access
4 = read access
5 = read access, execute access
6 = read access, write access
7 = read access, write access, execute access

Note: I've intentionally left out 1-3 since without read access the whole point to writing and executing would be lost.

As such maybe some explanation is required, read access means that the user can "fire up" the module, see what default information it provides but otherwise, any add, edit or execute functions would be disabled. Now any write functions will be available if the write flag is a turned on, the execute flag will make any option that sends this thing into any sort of operations loop such as "build site" - "rebuild database" etc.

Now, for implementation:
As such the app opens the user_registry database, and builds a hash from the permissions columns in the database and as such would look somewhat like this:

%permissions qw ( user_manager_mod => 0,
                  events_manager_mod => 4,
                  photo_manager_mod = > 7 );
[download]

Now the above is just an illustration, I never actually declare the hash, the app builds it itself.

All interface functions that draw windows, menus etc check the hash and draw according to the permissions provided.

Ok so now... Can any of you see any flaws with this design? This app requires to be secure and uses SSL for all operations, I have implemented sessions which hold any type of data from request to request and the permissions hash will be one of the pieces of data passed from request to request after login until the session ends.

Let me know if I've overkilled here or if I need to explain further.

Thanks!

BlackJudas

Comment on Implementing a Security System in a Groupware app. Download Code

Replies are listed 'Best First'.
Re: Implementing a Security System in a Groupware app. by clemburg (Curate) on May 31, 2001 at 21:17 UTC
You should have a look at OpenInteract, written by our brother lachoy, and especially the security/persistence layer it uses, SPOPS. Christian Lemburg Brainbench MVP for Perl http://www.brainbench.com	[reply]
Re: Implementing a Security System in a Groupware app. by tomhukins (Curate) on May 31, 2001 at 21:15 UTC
Before writing a plug-in based application, you might like to read Plugin based Perl app and plugins and inheritance.	[reply]