Swank Wiki
Recently Visited

Swank v0.04.04

Swank::Security

This module provides security, authentication, and authorization routines for Swank.

Requires: Swank::Session, Swank::Storage, user and group pages

Provides:

authenticate( $login, $password )

$login is currently and value from the user record fields: name, username, fullname, or email.

The password is checked using auth_check_password, and the login is done use auth_login.

auth_login( $user )

Sets up session information when a user logs in.  (Security risk: this should only be allowed to be called after/from authenticate.  Should also ensure that the username in the session is not tampered with.)

Copies user record to session, preserving any "persistent fields".  (document persistent fields)  Determines the groups user is a member of.

auth_logout()

Creates a new session which is not logged in.

allow_top_action( $page, $action )

This is the main authorization function.  Uses the groups to determine whether a top level action is allowed or not.

show_actions( $page )

Determines what actions are allow from this page.  Used to know which links to show, e.g. html, edit, save, delete, submit, etc.

auth_check_password( $username, $password )

Checks if password matches the stored password.  Either the official password or a temporary password.  Note that time limit on temporary password is not yet implemented.

$username is a pageref or user page name (not path)

auth_set_password($username, $password, [ temp=>1 ] )

Sets a new password (temporary if temp=1)

Overrides:

top_action -- checks allow_top_action before proceeding

write -- only admins can write pages which contain perl code

Obsolete?  auth_default

How Groups Work

Groups are what decide what actions a user can do.

Each group has a priority, an allow_top_action function, and either a user list or an automatic user selection function.

The user list or automatic user selection are used to determine which groups a user belongs to, both before and after logging in.

When a lop level action is started, the groups which the user belongs to are checked, in descending priority order, to see if the action is allowed.  The group's allow_top_action routine should return 0 if the action is denied, 1 if the action is allowed, and '' or undef to defer the decision to the next group.


Document last modified: 28 Apr 2011 12:33am