NAME

AxKit::App::TABOO::XSP::User - User information management and authorization tag library for TABOO

SYNOPSIS

Add the user: namespace to your XSP <xsp:page> tag, e.g.:

<xsp:page
     language="Perl"
     xmlns:xsp="http://apache.org/xsp/core/v1"
     xmlns:user="http://www.kjetil.kjernsmo.net/software/TABOO/NS/User"
>

Add this taglib to AxKit (via httpd.conf or .htaccess):

AxAddXSPTaglib AxKit::App::TABOO::XSP::User

DESCRIPTION

This XSP taglib provides a few tags to retrieve, set, modify and save user information, as it communicates with TABOO Data objects, particulary AxKit::App::TABOO::Data::User and <AxKit::App::TABOO::Data::User::Contributor>.

Apache::AxKit::Language::XSP::SimpleTaglib has been used to write this taglib.

Tag Reference

<store/>

It will take whatever data it finds in the Apache::Request object held by AxKit, and hand it to a new AxKit::App::TABOO::Data::User object, which will use whatever data it finds useful. It may also take newpasswd1 and newpasswd2 fields, and if they are encountered, they will be checked if they are equal and then the password will be encrypted before it is sent to the Data object. The Data object is then instructed to save itself.

<new-user/>

This tag will store the contents of an Apache::Request object in the data store, but perform little checks on the data given. The only thing it checks is that the username isn't in use and allready. Then, if the authlevel is different from 1, it is checked if the logged in user is privileged to set the authlevel.

<get-passwd username="foo"/>

This tag will return the password of a user. The username may be given in an attribute or child element named username.

<get-authlevel username="foo"/>

This tag will return the authorization level of a user, which is an integer that may be used to grant or deny access to certain elements or pages. The username may be given in an attribute or child element named username.

<get-user username="foo"/>

This tag will return and XML representation of the user information. The username may be given in an attribute or child element named username.

<password-matches>

This tag is a boolean tag, which has child elements <true> and <false>. First, it needs a username, which may be given as an attribute or a child element named username, and the cleartext password in a child element <clear>. If the password is valid, the contents of the <true> element will be included in the output document. Conversely, if it is invalid, the contents of <false> will be in the result document. For example:

      <user:password-matches>
	<user:username>foo</user:username>
	<user:clear>trustno1</user:clear>
	<user:true><p>Password is valid</p></user:true>
	<user:false><p>Password is invalid</p></user:false>
      </user:password-matches>

<exists username="foo"/>

This tag will check if a user allready exists. Like <password-matches> this tag is a boolean tag, which has child elements <true> and <false>. It takes a username, which may be given as an attribute or a child element named username, and if the user is found in the data store, the contents of <true> child element is included, otherwise, the contents of <false> is included.

<is-authorized authlevel="5" username="foo">

This is a boolean tag, which has child elements <true> and <false>. It takes an autherization level in an attribute or child element named authlevel, and an attribute or child element named username. If the authenticated user has it least this level or the given username matches the username of the authenticated user, the contents of the <true> element will be included in the output document. Conversely, if the user has insufficient privileges the contents of <false> will be in the result document.

NOTE: This should not be looked upon as a "security feature". While it is possible to use it to make sure that an input control is not shown to someone who is not authorized to modify it (and this may indeed be its primary use), a malicious user could still insert data to that field by supplying arguments in a POST or GET request. Consequently, critical data must be checked for sanity before they are passed to the Data objects. The Data objects themselves are designed to believe anything they're fed, so it is most natural to do it in a taglib before handing the data to a Data object. See e.g. the internals of the <store/> tag for an example.

<valid-authlevels/>

This returns a list of the authorization levels that the present user can legitimitely set. This is an ugly and temporary solution, I think it should be worked out elsewhere than the taglib, but I couldn't find a way to do it....

<random-password/>

Shamelessly stolen from Jörg Walter's AxKit::XSP::Auth taglib, this would generate a new random password, see his documentation for details.

TODO

Currently, <exists> checks if a user exists by checking if the real name is defined. This is likely to change in the future. Do not rely on this behaviour, but do make sure every-one has a real name!

FORMALITIES

See AxKit::App::TABOO.

1 POD Error

The following errors were encountered while parsing the POD:

Around line 462:

Non-ASCII character seen before =encoding in 'Jörg'. Assuming CP1252