Tree::Authz is an inheritance-based authorization scheme.
SYNOPSIS
use Tree::Authz;
my $roles = { superuser => [ qw( spymasters politicians ) ],
spymasters => [ qw( spies moles ) ],
spies => [ 'informants' ],
informants => [ 'base' ],
moles => [ 'base' ],
politicians => [ 'citizens' ],
citizens => [ 'base' ],
};
my $authz = Tree::Authz->setup_hierarchy( $roles, 'SpyLand' );
my $superuser = $authz->role( 'superuser' );
my $spies = $authz->role( 'spies' );
my $citizens = $authz->role( 'citizens' );
my $base = $authz->role( 'base' );
$spies ->setup_permissions( [ qw( read_secrets wear_disguise ) ] );
$citizens->setup_permissions( 'vote' );
$base ->setup_permissions( 'breathe' );
foreach my $role ( $superuser, $spies, $citizens, $base ) {
foreach my $ability ( qw( unspecified_ability
spy
spies
read_secrets
wear_disguise
vote
breathe
can ) ) {
if ( $role->can( $ability ) ) {
print "$role can '$ability'n";
}
else {
print "$role cannot '$ability'n";
}
}
}
# prints:
superuser can 'unspecified_ability' # superpowers!
superuser can 'spy'
superuser can 'spies'
superuser can 'read_secrets'
superuser can 'wear_disguise'
superuser can 'vote'
superuser can 'breathe'
superuser can 'can'
spies cannot 'unspecified_ability'
spies can 'spy'
spies can 'spies'
spies can 'read_secrets'
spies can 'wear_disguise'
spies can 'vote'
spies can 'breathe'
spies can 'can'
citizens cannot 'unspecified_ability'
citizens cannot 'spy'
citizens cannot 'spies'
citizens cannot 'read_secrets'
citizens cannot 'wear_disguise'
citizens can 'vote'
citizens can 'breathe'
citizens can 'can'
base cannot 'unspecified_ability'
base cannot 'spy'
base cannot 'spies'
base cannot 'read_secrets'
base cannot 'wear_disguise'
base cannot 'vote'
base cannot 'breathe' # !
base cannot 'can' # !!
# storing code on the nodes (roles) of the tree
$spies->setup_abilities( read_secret => $coderef );
print $spies->read_secret( '/path/to/secret/file' );
$spies->setup_plugins( 'My::Spies::Skills' );
$spies->fly( $jet ); # My::Spies::Skills::fly
Class for inheritable, role-based permissions system (Role Based Access Control - RBAC).
Custom methods can be placed on role objects. Authorization can be performed either by checking whether the role name matches the required name, or by testing (via can) whether the role can perform the method required.
Two role are specified by default. At the top, superusers can do anything ($superuser->can( $action ) always returns a coderef). At the bottom, the base role can do nothing ($base->can( $action ) always returns undef).
All roles are automatically capable of authorizing actions named for the singular and plural of the role name.
Product's homepage
Requirements:
· Perl
Find us on Google+
