Dispatch-based approach
Opinions: I want to prevent direct access to certain scripts that have functionality accessible from the menu via the Internet at the OS level (Linux).
I was hoping to call an authorize.pl script that validates the session, checks for user rights, etc. Then it redirects to the target script.
Is this bypass permissions? Can I restrict execution on target scripts to public, but set target scripts available to the group to which I belong authorize.pl
? Does this reflect current practice?
If you plan to redirect to target scripts that belong to the authorize.pl group it doesn't matter, the scripts must be executed by the web server user.
Why do you want to do this at the OS level? Plain old session based authorization where validation is done in every script is standard practice.
Instead of calling authorize.pl and redirecting to the target, create a module called Authorization.pm and use it in every script, call the validation function first. This function will redirect to the login page (or take another appropriate action) if the appropriate credentials are missing.
Something along the lines
use Authorize qw{validate}; #Your module
use CGI::Session;
use strict;
use warnings;
my $sess = new CGI::Session();
validate($sess->param('user_token'));
#Unreachable code if session is empty or invalid
#Rest of the code ...
source to share
We thought (1) that we could precompile the authorization script for speed, (2) we could optionally block script requests with a database function to improve security. But I can see what you say, permissions must be set to User Execute for the script to communicate with the client: when the location redirect is printed to the user, allowing the client browser to request the target script.