Krang::CGI - Krang base class for CGI modules
package Krang::CGI::SomeSuch; use Krang::ClassLoader base => 'CGI';
sub setup {
my $self = shift;
$self->start_mode('status');
$self->run_modes(status => \&status);
}
sub status {
my $self = shift;
my $query = $self->query;
# ...
}
Krang::CGI is a subclass of CGI::Application. All the usual CGI::Application features are available.
See CGI::Application.
Some additional methods are provided:
The name of the script making the request. This is useful if you need to set the target actions for requests that might come from various places.
User authentication is handled by Krang::Handler. But for authoriztion, Krang::Handler assumes that any valid user is also authorized to perform every action and leaves module and run-mode authorization up to the individual modules. A simple mechanism is provided by this base class to add this protection.
To restrict an entire module to only users with given permissions, simply
use the PACKAGE_PERMISSIONS param() in either the init stage,
or through new() . For instance, user.pl contains:
my $app = pkg('CGI::User')->new(
PARAMS => {
PACKAGE_PERMISSIONS => [qw(admin_users admin_users_limited)],
}
)->run();
This means that only users with either the admin_users or
admin_users_limited permissions will be access to the entire script.
You can also protect on asset permissions:
my $app = pkg('CGI::Story')->new(
PARAMS => {
PACKAGE_ASSETS => { story => [qw(read-only edit)] },
}
)->run();
Protecting a run mode is similar to protecting an entire module. Simple
use the RUNMODE_PERMISSIONS param. The main difference is that
PACKAGE_PERMISSIONS takes an arrayref, and RUNMODE_PERMISSIONS
takes a hashref. The keys of this hash are the names of the run modes. The
values are arrayrefs containing the permissions needed.
So to add run mode level protection to publisher to protect the
publish_* run modes, we need something like this:
my $app = pkg('CGI::Publisher')->new(
PARAMS => {
RUNMODE_PERMISSIONS => {
publish_story => [qw(may_publish)],
publish_story_list => [qw(may_publish)],
publish_assets => [qw(may_publish)],
publish_media => [qw(may_publish)],
},
},
)->run();
and you can also protect based on asset permissions:
my $app = pkg('CGI::Story')->new(
PARAMS => {
PACKAGE_ASSETS => { story => [qw(read-only edit)] },
RUNMODE_ASSETS => {
new_story => { story => ['edit'] },
create => { story => ['edit'] },
edit => { story => ['edit'] },
checkout_and_edit => { story => ['edit'] },
check_in => { story => ['edit'] },
revert => { story => ['edit'] },
delete => { story => ['edit'] },
delete_selected => { story => ['edit'] },
checkout_selected => { story => ['edit'] },
checkin_selected => { story => ['edit'] },
delete_categories => { story => ['edit'] },
add_category => { story => ['edit'] },
set_primary_category => { story => ['edit'] },
copy => { story => ['edit'] },
db_save => { story => ['edit'] },
db_save_and_stay => { story => ['edit'] },
save_and_jump => { story => ['edit'] },
save_and_add => { story => ['edit'] },
save_and_publish => { story => ['edit'] },
save_and_view => { story => ['edit'] },
save_and_view_log => { story => ['edit'] },
save_and_edit_contribs => { story => ['edit'] },
save_and_edit_schedule => { story => ['edit'] },
save_and_go_up => { story => ['edit'] },
save_and_bulk_edit => { story => ['edit'] },
save_and_leave_bulk_edit => { story => ['edit'] },
save_and_change_bulk_edit_sep => { story => ['edit'] },
save_and_find_story_link => { story => ['edit'] },
save_and_find_media_link => { story => ['edit'] },
},
}
)->run();
Please see Krang Permissions System for more information on the different permissions available.
This base class provides four runmodes:
This runmode logs an unauthorized access attempt and passes $msg to
$pkg-redirect_to_login($msg)>.
If not provided, the message defaults to You do not have permissions
to access that portion of the site.
This runmode deletes the user's session and redirects to the login screen, where $msg will be shown.
This runmode redirects the user to his or her workspace. Optionally passing a message to be displayed when they get there.
Returns object to the state it was in previous to Edit (though a new version may have been written to disk via Save & Stay)
The following methods are also provided to help with common tasks:
The name of the script being run.
Tell the Front-End UI that whatever action we just took could alter the Navigation of the current user, so it should update the Navigation after this request.
Add a parameter to the given URL (reference)
$self->add_to_query(\$uri, "ajax=$ajax")
Return any messages or alerts that were added via Krang::Message as JSON request body. Any extra parameters passed in will be part of the JSON data structure returned.
return $self->json_messages();
return $self->json_messages(success => 1);