Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

managing object permissions

by ForgotPasswordAgain (Deacon)
on Nov 26, 2008 at 16:38 UTC ( #726150=perlquestion: print w/ replies, xml ) Need Help??
ForgotPasswordAgain has asked for the wisdom of the Perl Monks concerning the following question:

Basically looking for ideas on access-control of objects. I assume this kind of problem is common, but I don't see modules for it. Sorry if I don't explain this well.

I work on a CMS, when I'm not too lazy :). We have objects like "Story", "Workflow", "Desk", "User", "Element", ... These correspond to one or more database tables. The permissions are mostly object-specific, so a user or group will have READ or EDIT or PUBLISH permissions for a Story, say. In some ways it's a nice system, but one thing I don't like is there's not really a natural way to make the objects hierarchical. For example, if a Desk is in a Workflow, I'd want the Desk to inherit permissions from the Workflow. Another thing I dislike is that we basically have to instantiate all the objects before filtering out the ones the user doesn't have permission for. I think I'd prefer something like a JOIN in the database to take care of that.

The best approach I've found so far is probably what's known as role-based access control, though this is just an idea rather than a module/implementation. Someone also mentioned LDAP, which I need to get up to speed on (I associate it with sysadminny things like single sign-on but not with object-level use in an application). Any other ideas? It seems like something that must be common in Catalyst applications, for example.

Comment on managing object permissions
Re: managing object permissions
by LanX (Canon) on Nov 26, 2008 at 17:12 UTC
    I don't understand if this is an OOP or a DB question...

    > For example, if a Desk is in a Workflow, I'd want the Desk to inherit permissions from the Workflow.

    Sounds like you're adding the Desk-object to an array in the Workflow-object. The add-method might take care about dublicating rights, or adding a backlink in Desk to Workflow which is dynamically followed, if Desk's rights are evaluated.

    ... just my 2¢ of brainstorm interpretation of your question...

    Cheers Rolf

Re: managing object permissions
by Bloodnok (Vicar) on Nov 26, 2008 at 17:18 UTC
    LDAP (Lightweight Directory Access Protocol) is a means by which a TCP/IP based database(s) are accessed.

    .oO(I'm sure I'm teaching my granny to suck eggs, but here goes anyway...)

    As far as hierarchy is concerned, why not fall back on the inheritance of methods, accessors & mutators e.g. in your example, Desk->method() resulting in Workflow->method() actually being the method called - thus indirectly implementaing the inheritance of permissions etc. e.g.

    package Workflow; sub method { my $self = shift; . . . } package Desk; use base qw/Workflow/; sub new { bless \( my $scalar ), ref $_[0] || $_[0] } package main; my $desk = Desk->new(); $desk->method();
    etc. etc.

    A user level that continues to overstate my experience :-))
      I think another kind of inheritance is meant.

      Perls OOP models inheritance on classes not on objects. Objects have no @ISA.

      IMHO the OT has objects of different classes in a hierarchical order

      but he may simulate the @ISA behaviour für objects in an instancevariable @upper_rights containing refs to the other objects.

      Cheers Rolf

        Agreed - but I've played with inheritance at both class and instance level in order to achieve substantially the same, or similar, end-result.

        A user level that continues to overstate my experience :-))
Re: managing object permissions
by scorpio17 (Monsignor) on Nov 26, 2008 at 18:26 UTC

    CGI::Application can be used to implement role-based access control using the modules CGI::Application::Plugin::Authentication and CGI::Application::Plugin::Authorization.

      It's the "implement" part I'm being lazy about. :} I'm probably just dreaming, though, thinking there's something already implemented, since it's probably fairly application-dependent. Also those presumably require using CGI::Application, which I don't necessarily want to do.

      I read more about RBAC last night, and it does seem (in an abstract, theoretical way) a lot like what I have in mind. There are apparently a few implementations of it -- especially in Java, which I guess is (fairly or not) more associated with "enterprise" applications.

Re: managing object permissions
by karavelov (Monk) on Nov 27, 2008 at 13:26 UTC

    Access-control on objects is somehow ambiguous. The objects are combination on data and behaviour. So you have 2 levels of access control - on data and on behaviour.

    1. On data level. Usually you get and store the data in some sort of database. You could implement your access-control policy there, in the database. For example look for "Oracle label security", for Postgresql look pgacl (row-level ACL), sepgsql (integration with SELinux security model),veil (view-based sec.policies) etc. You could configure inheritable permissions with some of these tools

    2. For behaviour level access control - you could code it yourself, it is very application dependant so there is no good, universal model for doing this - you do it one way for webapp, another way for Tk app etc.

    You are working on some CMS, I suppose it has some kind of behaviour level access control. Look there and change the code to fully suit your needs

      Thanks, especially for the pointer to pgacl.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://726150]
Front-paged by Arunbear
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (5)
As of 2014-11-26 04:13 GMT
Find Nodes?
    Voting Booth?

    My preferred Perl binaries come from:

    Results (162 votes), past polls