[tbnl-devel] Authorized pages
Edi Weitz
edi at agharta.de
Tue Aug 10 13:21:41 UTC 2004
On 10 Aug 2004 14:27:28 +0200, d95-bli at nada.kth.se (Björn Lindberg) wrote:
> First I'd like to say that TBNL looks really nice, and replaces much
> of what I have been trying to do lately on my own.
Thanks.
> I have a question regarding authorization; The goal of having
> authorization is to provide restricted access to a set of pages. The
> example in test.lisp on gives access to one page, which is the one
> generated by the authorization-page function itself.
>
> How would I go about using authroization to restrict access to a set
> of pages, perhaps even including static ones? Should I set it up so
> that a prefix of the URIs of that set always leads to a handler
> which calls authorization? In that case, how would such a handler
> look like?
TBNL currently doesn't have code to automate that. You can, of course,
use Apache's facilities and ignore TBNL. Or you might want to do
something like this (untested)
(defmacro with-authorization ((authorizer) &body body)
(with-unique-names (user password)
`(multiple-value-bind (,user ,password)
(authorization)
(cond ((funcall ,authorizer ,user ,password)
, at body)
(t
(require-authorization))))))
(defun my-authorizer (user password)
(and (string= user "foo")
(string= password "bar")))
and then
(defun page ()
(with-authorization (#'my-authorizer)
(with-html
(:html
(:head (:title "Blabla"))
(:body "More bla")))))
Another option would be to let the first dispatcher in the list of
dispatchers do the following:
1. If URL doesn't need authorization just return NIL so the next
dispatcher has its turn.
2. If URL needs authorization and user is authorized also return
NIL.
3. Otherwise dispatch to a fixed handler which just calls
REQUIRE-AUTHORIZATION.
Does that help?
Cheers,
Edi.
More information about the Tbnl-devel
mailing list