use strict;
use warnings FATAL => 'all';

package Apache::SWIT::Security::Session;
use base 'Apache::SWIT::Session';
use URI;
use URI::QueryParam;

sub cookie_name { return 'apache_swit_security'; }

our $Sec_Man;

sub swit_startup {
	my $class = shift;
	$class->add_class_dbi_var('user', $ENV{AS_SECURITY_USER_CLASS});
	$Sec_Man = $ENV{AS_SECURITY_MANAGER}->create;
}

sub is_uri_ok {}

sub authorize {
	my ($self, $ac, $uri, %param) = @_;
	return $self->is_uri_ok($uri, %param)
		|| $ac->check_user($self->get_user, $self->request);
}

sub is_capable {
	my ($self, $cap) = @_;
	return $Sec_Man->capability_control($cap)->check_user($self->get_user);
}

sub _is_allowed {
	my ($self, $uri, %param) = @_;
	my $ac = $Sec_Man->access_control($uri) or return 1;
	return $self->authorize($ac, $uri, %param);
}

sub is_allowed {
	my ($self, $rel_uri) = @_;
	my $uri = URI->new_abs($rel_uri, $self->request->uri);
	return $self->_is_allowed($uri->path, %{ $uri->query_form_hash });
}

sub access_handler($$) {
	my ($class, $r) =  @_;
	my $res = $class->SUPER::access_handler($r);
	my $apr = Apache2::Request->new($r);
	return $r->pnotes('SWITSession')->_is_allowed($r->uri
		, %{ $apr->param || {} }) ? $res : Apache2::Const::FORBIDDEN();
}

1;