[ic] Admin UI menu permission setting

Chris Keane chris.keane at zzgi.com
Mon Aug 4 18:44:41 UTC 2008 

I've just spent the morning digging into the admin UI menu system 
specifically looking into how the permission model works. Actually, 
specifically looking at how to exclude 2nd and 3rd level menu items 
based on advanced mm settings.

The system as built provides the ability to exclude Top level menu items 
by including an mm setting in the depends_on field. For the Top level 
items, the UI STD_HEAD takes the depends_on field and submits it to the 
menu tag as a ui_security parameter.

For 2nd and 3rd level menus, the depends_on field is sent as a 
depends_on parameter.

So, the menu depends_on field is doing kind of double duty, which is 
fine if you only want to include/exclude Top level menu items based on 
mm settings. However, I'd really like to have more flexibility over the 
2nd and 3rd level menus using mm settings AND depends_on CGI variables.

So I thought about how to accomplish that by modifying the UI_STD_HEAD 
code to do a ui_security check for each 2nd/3rd level item... and 
couldn't immediately come up with anything that wouldn't require 
changing the menu system schema by adding a security field (rather than 
using the depends_on field for double duty).

The quickest and easiest hack I could come up with was to modify Menu.pm 
  and change the depends_on sub definition to check whether we're 
passing a security request or a CGI presence check request.

It was:
-----------------------------
depends_on => sub {
     my ($row, $fields) = @_;
     return 1 if ref($fields) ne 'ARRAY';
     my $status = 1;
     for(@$fields) {
        next if ! $row->{$_};
        $status = $status && $CGI::values{$row->{$_}};

     }
     return $status;
},


Now, it's:
------------------------------
depends_on => sub {
     my ($row, $fields) = @_;
     return 1 if ref($fields) ne 'ARRAY';
     my $status = 1;
     for(@$fields) {
       next if ! $row->{$_};
       if ($row->{$_} =~ s/^security://) {
         $status = $status && Vend::Tags->if_mm('advanced', $row->{$_});
       } else {
              $status = $status && $CGI::values{$row->{$_}};
       }
     }
     return $status;
},


All it does is check if the supplied depends_on starts with 'security:' 
and if it does submits it to the UI security system rather than checking 
if the CGI variable was submitted.

I don't know if this is a reasonable approach... did I come at this from 
the wrong direction? Is there a better was to approach this problem that 
I missed?

Chris.

More information about the interchange-users mailing list