Gossamer Forum
Home : Products : DBMan : Customization :

separate password and permission

Quote Reply
separate password and permission
I'm using several databases with the same login but want different permissions for diff databases. i was thinking about separating the permissions from the passwords so when someone logs in it verifies password in master.pass, then opens db1.pass to get the permissions for that db. i want to share the login session but if someone switches db, check the permissions in db2.pass, etc. has this been done? hate to reinvent the wheel!
Quote Reply
Re: [delicia] separate password and permission In reply to
I don't think it has been done. At least I haven't run across it before. It shouldn't be much of a problem, though. Sharing the login session isn't an issue. You just have to use the same auth directory for all of the databases.

The rest of it is doable, but there will be a lot of editing to do. You'll need to set the master password file in auth.pl in the login sequence and then check for permissions in whatever database they're logging into. You'll also need to adjust every other time that the password file (which is now just a permissions file) is checked so that it doesn't look for a password field in each row. Then you'll need to work out the admin panel function.

I don't think it'll be especially difficult, but it might be tedious adjusting it all. Actually, it would likely be easier to just leave the password in those files or some placeholder, just so you don't have to worry about missing something.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [JPDeni] separate password and permission In reply to
what i've done so far is just duplicate the password file so the layouts are identical. what seems to be happening, which is baffling me, when i log in as me, instead of as admin, it gives me permission to view ,add, delete and modify even though i only have permission to view and modify. i get an error if i try to add a record (unauthorized message) but i shouldn't even see the link. but if i click on Home, before i try add, i only see the correct permissions. so once i've done anything, i see the correct permissions. but at first it gives me two options i shouldn't have. the default permission is just view. any clues?
Quote Reply
Re: [delicia] separate password and permission In reply to
I'm not completely sure I'm understanding what you're doing, so let me tell you what I think is going on.

You have DatabaseA and DatabaseB. In the footer for both databases, you have links to the various functions for both databases, like

Add to DatabaseA, View DatabaseA, Modify DatabaseA, Delete DatabaseA
Add to DatabaseB, View DatabaseB, Modify DatabaseB, Delete DatabaseB

with the permissions supposedly only showing up that the person is allowed to do.

In your password files, you have something like the following:

delicia:password:1:1:1:1:0 <--in .pass file for DatabaseA

and

delicia:password:1:0:0:1:0 <--in .pass file for DatabaseB

You're hoping to get the following in your footer:

Add to DatabaseA, View DatabaseA, Modify DatabaseA, Delete DatabaseA
View DatabaseB, Modify DatabaseB

You log on to DatabaseA and see that you have the same permissions for both databases. You select one of the functions from DatabaseB that you shouldn't have permission for and the program tells you that you don't have permission to do it -- which you already know, but the script didn't.

The problem is that when you log in to DatabaseA, all of the permissions are set and there is no way for the database to know what your permissions are for DatabaseB.

Presumably you have html.pl files for both databases, with similar html_footer subroutines. Here's what you could do. In the footer subroutine for DatabaseA, first print out the footer permissions like you have. No difference at all. Then reset the $auth_pw_file to the one that you use for DatabaseB and include the following:

Code:

($status, $uid, $per_view, $per_add, $per_del, $per_mod, $per_admin)
= &auth_check_password;


Then print out the permissions for DatabaseB.

You'll also have to do the same thing in the html.pl file for DatabaseB. The problem is that you'll need to print out the links for DatabaseB first, meaning they'll be in different order than they are in the other html.pl file. (I have this thing about consistency.) Maybe you can just collect the permission links for DatabaseB, get the permissions for DatabaseA, print the links for DatabaseA and then print the collected links for DatabaseB. Did that make any sense at all?

If this isn't the situation you're running into, sorry. :-) I'll need just a bit more explanation of what you are wanting to do in order to get a picture.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [JPDeni] separate password and permission In reply to
you are exactly right about what i want to happen! but for the moment let's forget about databaseA. when i first login to databaseB (with the more limited permissions) and i haven't logged in to databaseA yet, i'm seeing the links for databaseA -- even though i haven't yet logged into databaseA. i'm trying to get things working with just one db before i start testing the switch.
Quote Reply
Re: [delicia] separate password and permission In reply to
So you're logging into B and you want to just see:

View B | Modify B

and instead you're seeing

| View B | Modify B | View A | Modify A |

Yes?

If you are using the same auth directory for both databases, you don't have to log into each one separately. You are logged in to both (or all, if there were three or more) at the same time. If you want separate log-ins, you'll have to have completely separate databases that don't share any files in common. Or make pretty extensive changes to the script.

Thinking of wild possibilities.... You could change the whole structure of the permission system to use a hash, using the database name. Instead of $per_view, you would use $per_view{$db_setup}. In order to do this, though, you would have to keep track of which databases had been logged into. You could probably use the temporary file that's created in the auth directory for this, so that when you logged in to a database, it would first check to see if there was an existing file. If not, it would create one and write to the file

$db_setup:1:0:1:0

(or whatever the permissions are from the .pass file for that database).

If there was a file already, it would just add another line to the file, so in our case after logging into both, it would be

DatabaseB:1:0:1:0
DatabaseA:1:1:1:1

Then, in your footers, you would say something like

if $per_view{'DatabaseB'} print "View B"

This would be quite a change to the auth.pl file, as well as every reference to permissions in the db.cgi file. I guess it's doable.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [JPDeni] separate password and permission In reply to
> So you're logging into B and you want to just see:

> View B | Modify B

> and instead you're seeing

> | View B | Modify B | View A | Modify A |

> Yes?

no. what i see is
home | view B | add B | delete B | modify B

then once i click one of the options i see what i want to see. for example if click home, i then see just home, view B and modify B. i also have another little menu to switch databases. if i click to switch to databaseA, i see the correct permissions for A. so it seems to be just the first screen that isn't reading/displaying the correct permissions.
Quote Reply
Re: [delicia] separate password and permission In reply to
Okay. Now I got it. (I'm a bit slow sometimes. :-))

For some reason the script is pulling the permissions from the DatabaseA .pass file when you log in. Are you sure you're logging in with the correct .cfg file? The URL should be something like

.../db.cgi?db=DatabaseB

That's the only thing I can think of.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [JPDeni] separate password and permission In reply to
i'm sure i'm logging in to B first because i'm typing the url (with db=datbaseB) manually, not using a link initially. as i mentioned in previous post, when i switch to A, i see the correct permissions for A. and i just tested and when i switch from A back to B using the links, i see the correct permissions for B. when i first logon, the script shouldn't even know that A exists.

i see your confusion now! i told you before that you were correct about what i wanted to see. but really i don't want to see anything about A in B's footer or vice versa. all i want is the switch to other DB link.

Last edited by:

delicia: May 18, 2006, 1:56 PM
Quote Reply
Re: [delicia] separate password and permission In reply to
You're right. It shouldn't. I'm wondering if there's something that's preventing it from looking at the permissions at all when you first log in to DatabaseB. It may not be pulling them out of A at all, but just setting everything (except admin) to 1. There's a couple of things you could try to figure it out. One would be to temporarily change the permission in the A .pass file for the user. Take out the permission to delete or something. Then log in as that user into B and see if the delete permission exists. If it doesn't, then it's using the A .pass file. If it does, then it's not using any .pass file, but there's something wonky with permissions in general.

I guess I shouldn't read and reply to posts here when I first get up in the morning. That's when my brain is especially slow. :-)


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [JPDeni] separate password and permission In reply to
ok, i edited my permissions for A and allowed only View. i logged into B (closed and reopened browser!) and see the same permissions -- everything but Special and Admin. so it definitely isn't reading permissions from A. would it help if i posted my auth.pl code?
Quote Reply
Re: [delicia] separate password and permission In reply to
I'd rather not see the whole thing. I have a very hard time reading it with the forum software. (Sorry, Alex.)

When you log into A, with the fewer permissions, do you get all of them, except for admin and special?

Looks like you added a permission. That might be the problem.

Maybe you can save your auth.pl file as a .txt file and upload it to your post. That way I can see it better.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [JPDeni] separate password and permission In reply to
no i see the correct permissions for A when i switch to A. no matter what i click on at the bottom, i see the correct permissions for whichever database i'm in. i just don't see the correct permissions until i have clicked on something. also, in case i forgot to mention, all the permissions have been set to 0 or null in the password file. i'll get an attachment ready!

oh, i have used the special permission for years without a problem so i don't think that's the problem either.

Last edited by:

delicia: May 18, 2006, 2:22 PM
Quote Reply
Re: [delicia] separate password and permission In reply to
> i just don't see the correct permissions until i have clicked on something.

That's what I'm asking. If you log in to A, before you click on something, do you see the right permissions? I'm trying to figure out if it's something with DatabaseB or your whole setup.

>also, in case i forgot to mention, all the permissions have been set to 0 or null in the password file.

??? All the permissions have been set to 0? No one has permission to do anything? Or all the permissions for Special? Or ... ?


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [delicia] separate password and permission In reply to
now this seems really odd! i closed browser and then logged in to A first and it displayed the correct permissions for A (just view now). i compared the two pass files and i don't see any difference in the layout. i rechecked the cfg files to be sure i was calling the password and permission files correctly and identically and i am. hope you see something in auth but i am not sure that's the problem now.

A:
# UserID : Password : View : Add : Del : Mod: Spec: Admin
1001:password:1:0:0:0:::emailaddress

B:
1001:password:1:0:0:1:::emailaddress

password file:
1001:password:::::::emailaddress
Quote Reply
Re: [delicia] separate password and permission In reply to
one more bit of info. i have chopped up the html (user friendly of course) and am using the same html file for the footer with the menu links. so the menu links are generated correctly for A but not for B and that's using the same html code for the footer!
Quote Reply
Re: [delicia] separate password and permission In reply to
I probably won't be able to get to this until much later tonight or maybe even tomorrow. Real life calls. :-)


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [delicia] separate password and permission In reply to
Is there any way I could see this for myself? If you could set up an account for me in both databases, with different permissions (not that I'd do anything except view), it would really help. I would understand your not wanting to post info on the public board, but you can send it to me in a private message. I sorta feel like I'm trying to fix a watch in the dark. It's easier if I can see it myself.

If this is the sort of thing that needs to stay private, I understand and will do my best to fix the watch by feel instead of by sight. :-)

I didn't notice anything in the auth file.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [delicia] separate password and permission In reply to
The problem with having to re-log in when changing galleries... That's because you're using different auth directories. The members files are in .../cgi-bin/dbtest/ and some of the gallery files are in .../cgi-bin/kdb/. They need to all be in the same directory. You're probably going to have to copy all of your files from kdb to dbtest while you do the testing. Maybe you could just have a few records in each of the .db files.

Your other problems may stem from the same thing. I noticed that when I logged into gallery, the login page was in /dbtest/, but the home page came up in /kdb/. Also, it gave me all of the permissions, instead of just View which is what I should have had. It's hard to tell, though.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.
Quote Reply
Re: [JPDeni] separate password and permission In reply to
i hope it's something that simple! i had been testing on a local server isntead of internet. so it may just be that i missed a path before i uploaded files for you. i will look for the problem and re-upload and see what happens. thanks.
Quote Reply
Re: [delicia] separate password and permission In reply to
ok, i corrected the path in the other two databases. that took care of the login problem but the permission problem is still there -- just like on the local server. if i log in to xmembers first, i have wrong permission until i click something at the bottom. but if i log into xgallery first, the permissions are ok. if i login to xmaillist first, i have permission problem. xmaillist and xmember both use same password file.


update: i edited the permission file and put my record on the first line (like the one that works) and now it works. so there must be something wrong that it isn't reading the file at first or isn't recognizing the match with the userid or something. i don't know how to test the problem.

Last edited by:

delicia: May 19, 2006, 1:30 PM
Quote Reply
Re: [delicia] separate password and permission In reply to
i think everything is working now!!! i finally noticed the code below and took out my whole section that was opening the permission file (after the password was matched and changed the return line to the one below that calls &auth_check_permissions. now i have to work on the routines to change password, email address etc. thanks for the time you've spent helping me.

Code:

elsif ($db_uid) { # The user already has a user id given by the program.
(-e "$auth_dir/$db_uid") ?
return ('ok', $db_uid, &auth_check_permissions($db_uid)) :
return ('invalid/expired user session');
}
Quote Reply
Re: [delicia] separate password and permission In reply to
When I run the scripts on a local server I have to use the following changes in the auth.pl file to have it work correctly:


sub auth_check_password {
# --------------------------------------------------------
# This routine checks to see if the password and userid found in %in (must be 'pw' and 'userid') match a valid password and userid in the password file. It returns a status message and a userid which is built by a "user name" + "random number" which get's stored in the query string.

my ($pass, @passwd, $userid, $pw, @permissions, $file, $uid);
# my ($server_auth) = $ENV{'REMOTE_USER'} || $ENV{'AUTH_USER'}; ## change for local server
my ($server_auth) = '';

and also:

sub auth_check_permissions {
# --------------------------------------------------------
# This routine checks the permissions file and returns the users permissions. It takes as input a valid user id and returns a set of permissions.

my ($userid) = shift;
my ($username, @permissions, $permission, $name, $pw, $view, $add, $del, $mod, $admin);

# Use default permissions if there is no authentication, or if this is a default user and we allow default users.
if ($auth_no_authentication || (($userid eq 'default') && $auth_allow_default)) {
return (@auth_default_permissions);
}

# Otherwise, check to see if we have been passed in a user id to get permissions for or we have one from server authentication.


#### modified for my server ########
# if ($ENV{'REMOTE_USER'} || $ENV{'AUTH_USER'}) {
# $username = $ENV{'REMOTE_USER'} || $ENV{'AUTH_USER'};
# }
# else {
($userid =~ /^([A-Za-z0-9]+)\.\d+$/) ? ($username = $1) : return (0,0,0,0,0);

#### added for true logoff (see admin109.txt): ####
unlink "$auth_dir/$userid";
open(AUTH, ">$auth_dir/$userid") or &cgierr("unable to open auth file: $auth_dir/$userid. Reason: $!\n");
print AUTH "$userid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
#### end true logoff ####
# } ### commented out for local server run

# Get the permissions.


Then just keep a copy to use when posting to the internet without those changes.

Hope this helps

Unoffical DBMan FAQ

http://creativecomputingweb.com/dbman/index.shtml/