Mailing List Archive: Catalyst: Users

fine Authentication

Index | Next | Previous | View Threaded

vlad.bazonatgmail.com

Jul 23, 2005, 1:51 AM

Post #1 of 10 (213 views)
Permalink

fine Authentication

Hi,

How - as simply, or "best practice" - how I can link a action (like
'add'), and also an individual action (like 'edit/7', or 'destroy/5')
with a kind of authentication?

Only the user-creator of a group of records, could then operate
('edit', 'destroy') on these (by 'edit/7', etc.)!

May be, I wrong express in CDBI-mysql the relationships of
'user_class', 'role_class', 'user_role_class' ...

Thanks!

luke.saundersatgmail.com

Jul 23, 2005, 1:32 PM

Post #2 of 10 (212 views)
Permalink

fine Authentication [In reply to]

The best way to do this this type of fine grained authentication is to
write a plugin which watches where the users are going within the
controllers and forwards the request elsewhere if necessary (to
/page/denied for example). To do this I wrote a plugin which overloads
the execute method of Catalyst::Engine and makes the checks before the
action is executed. This is better than having the controllers 'ask'
some authenticator if user x is allowed access to that action.

If you're interested I can email you the code but not until Tuesday as
I won't have access to it until then.

Alternatively you can just put some code in the auto method of your
controller(s) which makes the checks.

-Luke

On 7/23/05, Vlad Bazon <vlad.bazon [at] gmail> wrote:
> Hi,
>
> How - as simply, or "best practice" - how I can link a action (like
> 'add'), and also an individual action (like 'edit/7', or 'destroy/5')
> with a kind of authentication?
>
> Only the user-creator of a group of records, could then operate
> ('edit', 'destroy') on these (by 'edit/7', etc.)!
>
> May be, I wrong express in CDBI-mysql the relationships of
> 'user_class', 'role_class', 'user_role_class' ...
>
> Thanks!
>
> _______________________________________________
> Catalyst mailing list
> Catalyst [at] lists
> http://lists.rawmode.org/mailman/listinfo/catalyst
>

josenyimiatskynet.be

Jul 23, 2005, 5:44 PM

Post #3 of 10 (218 views)
Permalink

fine Authentication [In reply to]

> -----Message d'origine-----
> De : catalyst-bounces [at] lists
> [mailto:catalyst-bounces [at] lists] De la part de
> luke saunders
> Envoy? : samedi 23 juillet 2005 13:35
> ? : Vlad Bazon; The elegant MVC web framework
> Objet : Re: [Catalyst] fine Authentication
>
>
> The best way to do this this type of fine grained
> authentication is to write a plugin which watches where the
> users are going within the controllers and forwards the
> request elsewhere if necessary (to /page/denied for example).
> To do this I wrote a plugin which overloads the execute
> method of Catalyst::Engine and makes the checks before the
> action is executed. This is better than having the
> controllers 'ask' some authenticator if user x is allowed
> access to that action.
>
> If you're interested I can email you the code but not until
> Tuesday as I won't have access to it until then.
>

Yep, interesting, please share to me as well !
Or just share to the list if possible ;)

Rgds,
Jos?.

vlad.bazonatgmail.com

Jul 30, 2005, 10:18 PM

Post #4 of 10 (212 views)
Permalink

Re: fine Authentication [In reply to]

I do this in "list.html" (and not in a controller ...?!) - like:
......
<td>
[.% IF (column == 'nume') and ((c.session.user_id == object.$primary)
or (c.session.user_id == object.di_id.id)) %]
<a href= [% c.req.base _ table_name _ "/edit/" _ object.$primary %] >
[% END %]
[% object.$column %]
</td>
...... (so, only "user_id" has a "edit/7" action at disposition.)

probably, it is not a good ideea (because the principle of the
separation M/C/V) - but it is so practical ...

Regards,
Vlad

On 7/23/05, Vlad Bazon <vlad.bazon [at] gmail> wrote:
> Hi,
>
> How - as simply, or "best practice" - how I can link a action (like
> 'add'), and also an individual action (like 'edit/7', or 'destroy/5')
> with a kind of authentication?
>
> Only the user-creator of a group of records, could then operate
> ('edit', 'destroy') on these (by 'edit/7', etc.)!
>
> May be, I wrong express in CDBI-mysql the relationships of
> 'user_class', 'role_class', 'user_role_class' ...
>
> Thanks!
>

vlad.bazonatgmail.com

Aug 3, 2005, 8:27 AM

Post #5 of 10 (208 views)
Permalink

Re: fine Authentication [In reply to]

A very bad solution!
<Any> user could type "http://.../edit/7" manually!
I'am sorry ...

On 7/30/05, Vlad Bazon <vlad.bazon [at] gmail> wrote:
> I do this in "list.html" (and not in a controller ...?!) - like:
> ......
> <td>
> [.% IF (column == 'nume') and ((c.session.user_id == object.$primary)
> or (c.session.user_id == object.di_id.id)) %]
> <a href= [% c.req.base _ table_name _ "/edit/" _ object.$primary %] >
> [% END %]
> [% object.$column %]
> </td>
> ...... (so, only "user_id" has a "edit/7" action at disposition.)
>
> probably, it is not a good ideea (because the principle of the
> separation M/C/V) - but it is so practical ...
>
> Regards,
> Vlad
>
> On 7/23/05, Vlad Bazon <vlad.bazon [at] gmail> wrote:
> > Hi,
> >
> > How - as simply, or "best practice" - how I can link a action (like
> > 'add'), and also an individual action (like 'edit/7', or 'destroy/5')
> > with a kind of authentication?
> >
> > Only the user-creator of a group of records, could then operate
> > ('edit', 'destroy') on these (by 'edit/7', etc.)!
> >
> > May be, I wrong express in CDBI-mysql the relationships of
> > 'user_class', 'role_class', 'user_role_class' ...
> >
> > Thanks!
> >
>

dstorrsatdstorrs.com

Aug 3, 2005, 4:22 PM

Post #6 of 10 (209 views)
Permalink

Re: fine Authentication [In reply to]

> On 7/30/05, Vlad Bazon <vlad.bazon [at] gmail> wrote:
>
>> I do this in "list.html" (and not in a controller ...?!) - like:
>> ......
>> <td>
>> [.% IF (column == 'nume') and ((c.session.user_id == object.$primary)
>> or (c.session.user_id == object.di_id.id)) %]
>> <a href= [.% c.req.base _ table_name _ "/edit/" _ object.
>> $primary %] >
>> [% END %]
>> [% object.$column %]
>> </td>
>> ...... (so, only "user_id" has a "edit/7" action at disposition.)
>>
>> probably, it is not a good ideea (because the principle of the
>> separation M/C/V) - but it is so practical ...

On Aug 3, 2005, at 2:30 AM, Vlad Bazon wrote:

> A very bad solution!
> <Any> user could type "http://.../edit/7" manually!
> I'am sorry ...

Actually, it's a good solution--just not to the problem of
authentication. This isn't an authentication technique, this is a
user-interface technique: it helps to present the user with a
simple, uncluttered interface that includes only the elements they
need/can use. Authentication should be done via checking credentials,
as you imply above.

--Dks

vlad.bazonatgmail.com

Aug 4, 2005, 5:11 PM

Post #7 of 10 (204 views)
Permalink

Re: fine Authentication [In reply to]

Of course! You are always right ...

On the other hand, in order to avoid to <manually> modify the data of
a other user - a solution could be the (banal) extension of the
controller code with:

sub do_edit {
my ( $self, $c ) = @_;
# the "extension" for prevent GET ("manually") requests
if ($c->req->method eq "GET") {
$c->req->action(undef);
$c->stash->{message}="aaa"; # You must not modify the others' data!
return $c->forward('/login/login');
}
.....

Am I wrong?

Vlad
On 8/3/05, David Storrs <dstorrs [at] dstorrs> wrote:
> > On 7/30/05, Vlad Bazon <vlad.bazon [at] gmail> wrote:
> >
> >> I do this in "list.html" (and not in a controller ...?!) - like:
> >> ......
> >> <td>
> >> [.% IF (column == 'nume') and ((c.session.user_id == object.$primary)
> >> or (c.session.user_id == object.di_id.id)) %]
> >> <a href= [.% c.req.base _ table_name _ "/edit/" _ object.
> >> $primary %] >
> >> [% END %]
> >> [% object.$column %]
> >> </td>
> >> ...... (so, only "user_id" has a "edit/7" action at disposition.)
> >>
> >> probably, it is not a good ideea (because the principle of the
> >> separation M/C/V) - but it is so practical ...
>
> On Aug 3, 2005, at 2:30 AM, Vlad Bazon wrote:
>
> > A very bad solution!
> > <Any> user could type "http://.../edit/7" manually!
> > I'am sorry ...
>
>
> Actually, it's a good solution--just not to the problem of
> authentication. This isn't an authentication technique, this is a
> user-interface technique: it helps to present the user with a
> simple, uncluttered interface that includes only the elements they
> need/can use. Authentication should be done via checking credentials,
> as you imply above.
>
> --Dks
>
> _______________________________________________
> Catalyst mailing list
> Catalyst [at] lists
> http://lists.rawmode.org/mailman/listinfo/catalyst
>

taulmarillatxgn.de

Aug 4, 2005, 5:39 PM

Post #8 of 10 (212 views)
Permalink

Re: fine Authentication [In reply to]

On Thu, 4 Aug 2005 18:14:14 +0300, Vlad Bazon wrote
> Of course! You are always right ...
>
> On the other hand, in order to avoid to <manually> modify the data of
> a other user - a solution could be the (banal) extension of the
> controller code with:
>
> sub do_edit {
> my ( $self, $c ) = @_;
> # the "extension" for prevent GET ("manually") requests
> if ($c->req->method eq "GET") {
> $c->req->action(undef);
> $c->stash->{message}="aaa"; # You must not modify the
> others' data! return $c->forward('/login/login'); } .....
>
> Am I wrong?

yes, you are. many users are able to save and edit the html page to fake a
POST request. and thats just the trivial way. being a programmer, i could
always write a perlscript which pretends to be a browser doing a POST request.
and that's not hard to do either, even for script kiddies.
just use serious authentication which requires some hard guessable information
from the user. everything else is rubbish.
___
J?rgen

dstorrsatdstorrs.com

Aug 4, 2005, 7:01 PM

Post #9 of 10 (207 views)
Permalink

Re: fine Authentication [In reply to]

On Aug 4, 2005, at 11:42 AM, J?rgen Peters wrote:

> On Thu, 4 Aug 2005 18:14:14 +0300, Vlad Bazon wrote
>> On the other hand, in order to avoid to <manually> modify the data of
>> a other user - a solution could be the (banal) extension of the
>> controller code with:
>>
>> [code that relies on checking for GET calls vs username/password]
>> Am I wrong?
>>
>
> yes, you are. many users are able to save and edit the html page to
> fake a
> POST request. and thats just the trivial way. being a programmer, i
> could
> always write a perlscript which pretends to be a browser doing a
> POST request.
> and that's not hard to do either, even for script kiddies.
> just use serious authentication which requires some hard guessable
> information
> from the user. everything else is rubbish.

Succintly, albeit indelicately, put. :>

Vlad, J?rgen is right on the money. If you want to do
authentication, ask the user for a username and password, then check
this information against the database. Anything less than that is
completely useless.

For detailed directions on how to do this, look here: http://
dev.catalyst.perl.org/wiki/MoreFAQ
It provides a discussion, further pointers, and a complete (tested)
Login.pm for you.

Also, could you please bottom-post (or, best of all, intermix) future
replies? It makes it easier to follow the conversation.

--Dks

Wade.Stuart at fallon

Aug 4, 2005, 7:06 PM

Post #10 of 10 (211 views)
Permalink

Re: fine Authentication [In reply to]

I usually use two levels of auth, the outer sets the user/group
information and then the database has table level auth links to define what
type of table or group can access or mod info.

I check the action of each step with the privilege tables and then bounce
back errors or forward if the user is not allowed to view or mod the data.
On larger more complex apps I write a bunch of classes that do this, on
smaller apps I tend to put it in each action. Putting any of this logic
(besides the obvious UI clean look and feel stuff) in the templates is a
waste of time.

-Wade

Vlad Bazon
<vlad.bazon [at] gmai
.com> To
Sent by: The elegant MVC web framework
catalyst-bounces@ <catalyst [at] lists>
lists.rawmode.org cc

Subject
08/04/05 10:14 AM Re: [Catalyst] Re: fine
Authentication

Please respond to
Vlad Bazon
<vlad.bazon [at] gmai
.com>; Please
respond to
The elegant MVC
web framework
<catalyst [at] lists
awmode.org>

Of course! You are always right ...

On the other hand, in order to avoid to <manually> modify the data of
a other user - a solution could be the (banal) extension of the
controller code with:

sub do_edit {
my ( $self, $c ) = @_;
# the "extension" for prevent GET ("manually") requests
if ($c->req->method eq "GET") {
$c->req->action(undef);
$c->stash->{message}="aaa"; # You must not modify the others'
data!
return $c->forward('/login/login');
}
.....

Am I wrong?

Vlad
On 8/3/05, David Storrs <dstorrs [at] dstorrs> wrote:
> > On 7/30/05, Vlad Bazon <vlad.bazon [at] gmail> wrote:
> >
> >> I do this in "list.html" (and not in a controller ...?!) - like:
> >> ......
> >> <td>
> >> [.% IF (column == 'nume') and ((c.session.user_id == object.$primary)
> >> or (c.session.user_id == object.di_id.id)) %]
> >> <a href= [.% c.req.base _ table_name _ "/edit/" _ object.
> >> $primary %] >
> >> [% END %]
> >> [% object.$column %]
> >> </td>
> >> ...... (so, only "user_id" has a "edit/7" action at disposition.)
> >>
> >> probably, it is not a good ideea (because the principle of the
> >> separation M/C/V) - but it is so practical ...
>
> On Aug 3, 2005, at 2:30 AM, Vlad Bazon wrote:
>
> > A very bad solution!
> > <Any> user could type "http://.../edit/7" manually!
> > I'am sorry ...
>
>
> Actually, it's a good solution--just not to the problem of
> authentication. This isn't an authentication technique, this is a
> user-interface technique: it helps to present the user with a
> simple, uncluttered interface that includes only the elements they
> need/can use. Authentication should be done via checking credentials,
> as you imply above.
>
> --Dks
>
> _______________________________________________
> Catalyst mailing list
> Catalyst [at] lists
> http://lists.rawmode.org/mailman/listinfo/catalyst
>

_______________________________________________
Catalyst mailing list
Catalyst [at] lists
http://lists.rawmode.org/mailman/listinfo/catalyst

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads