O'Reilly logo

Practical Internet Groupware by Jon Udell

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

An Attribute-Based Authorization Script

Now we can proceed, in a portable manner, to build an access-control application that correlates docbase attributes with user attributes. Example 12.3 focuses on the part of the solution that compares a docbase attribute to a database of subscriptions.

Example 12-3. Authorizing Users by a Docbase Attribute

use strict;

use DBI;   

my $dbh = DBI->connect('DBI:Solid:Subscriptions','dba','dba') # connect to subs db
  or die ("connect, $DBI::errstr");                         

my $http_authorization_header = $ENV{HTTP_AUTHORIZATION};   # extract auth header
                                                            
sub isBasicAuthUserForCompany
  {
  my ($http_authorization, $dbh) = @_;
  $http_authorization_header = m/Basic (.+)/i;              # isolate credentials
  my $http_authorization = $1;                          
  my ($user, $password) = split (':', $1);                  # get name/pw
  my ($st) =                                                # make query
   "select count(*) from cmp_users where cmp = '$company' and user = '$user'";
  return ( 
         isAuthenticated($user,$password) and               # authenticate (not shown)
         dbSqlReturnValue ($dbh, $st)                       # authorize
         );
  }

sub dbSqlReturnValue
  {
  my ($dbh,$st) = @_;
  my $sth = $dbh->prepare($st);  # prepare sql
  my $value;
  $sth->execute;                 # execute sql
  $sth->bind_col(1, \$value);    # bind result to value
  $sth->finish;                  # finish sql
  return $value;                 
  }

In this fragment, $http_authorization gets the value of the CGI environment variable $ENV{HTTP_AUTHORIZATION}. This is the Authorization: header sent from a browser in response to a prior challenge issued by this (or another) script. We’ll assume that $company was extracted ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required