[erlang-questions] Declarative Security in Erlang

Tim Watson <>
Mon May 21 22:47:58 CEST 2012


On 21/05/2012 21:22, Andrew Berman wrote:
> Cool, thanks Tim.  I am using a before_advice since it is only 
> security.  I figured that your two suggestions are the best way to do 
> it.  As you said, passing around the user is the purest way, so I'll 
> probably just go with that method.  I like your suggestion of passing 
> in the index of the user record in the inputs.
>
> I was planning on using a gen_server and every time a function is 
> accessed it creates a new process which stores the user.  I feel like 
> this could get messy though.
>
> Thanks again for the annotations project, I love it!
>
Cool, glad you're enjoying it! So on the production code, this would 
look something like:

-requires_authorisation({user_record_index, 1}).
read_user_info(User, InfoType) ->
     db:fetch(user_info, User, InfoType).

That seems reasonable to me. If all the functions in a module place the 
user argument in the same position, it ought to be possible to annotate 
a module so that *all* exported functions are annotated - for something 
like this it'd make life easier to just say:

%%%
-module(user_db).
-include_lib("annotations/include/annotation.hrl").

-requires_authorisation([{scope, user}, {arg_index, 1}]).

%%%

In theory, that should work OOTB today, although I'm not 100% about the 
module level stuff as I've mainly focused on testing (and using) the 
function level annotations.

> --Andrew
>
> On Mon, May 21, 2012 at 1:04 PM, Tim Watson < 
> <mailto:>> wrote:
>
>     Holy crap the indentation on that post got screwed somehow. Allow
>     me to tidy up a bit.....
>
>
>     around_advice(#annotation{data={mode, pdict}}, M, F, Inputs) ->
>        case get(current_user) of
>            undefined ->
>                handle_restricted(M, F, Inputs);
>            #user{} ->
>                annotation:call_advised(M, F, Inputs)
>        end.
>
>     around_advice(#annotation{data={user_record_idx, Idx}}, M, F,
>     Inputs) ->
>        User = lists:nth(Idx, Inputs),
>        case check(User) of
>            restricted ->
>                handle_restricted(M, F, Inputs);
>            ok ->
>                annotation:call_advised(M, F, Inputs)
>        end.
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20120521/7469545e/attachment.html>


More information about the erlang-questions mailing list