Summary: The goal is to create a framework that will allow applications to work together as modules. The framework should be very lightweight, so that it's not a burden to develop to. (i.e. making compliant applications is as easy as possible) It should be as transperent as possible, allowing the applications to stand alone or to be installed next to other compliant modules as parts of a larger application. Common obstacles to these goals that this version of the spec address are: - Each application has its own set of administrators and users. - Each application has its own incompatible login and session management system. - Each application has its own administrative front door, centralizing control is difficult - Applications may name database tables in a way that conflict with each other. The specific solutions are: - A HAPI Application name space which defines a unique name for each compliant application. - Application name is a prefix to each DB table name, eliminating table naming conflicts - Schema for a centralized user database - API for compliant user authentication routines - API for registering application functionality. ------------------------ Application name space ------------------------ Each application will have its own name. Database table names, user permissions, and function registration will be keyed off this name. ------------------------ User Database ------------------------ HAPI applications must use the centralized HAPI_user table. This specifies the following fields: login pswd fname lname email Applications may define additional user attributes, keyed to the login in the HAPI_user database. Applications may create new users, with the only requirement being that they not duplicate logins. ------------------------- User Permissions ------------------------- HAPI applications must use the HAPI_permission table. This table indicated an access level for a given user (login) for a given HAPI application. The table has the following fields: login application accessLevel The access level is an integer, with 9 being the very most complete administrative access, and lower numbers indicating less access. ------------------------- Authentication and sessions ------------------------- HAPI compliance is strictest in the realm of authentication. HAPI compliant authentication must do the following: - read login and password info from the HAPI_user table - read access level information from the HAPI_permission table - create a unique session ID - write an entry in the HAPI_session table: sessionID login timeStamp - set a HAPI_session cookie with the sessionID as value - find a session in the database when appropriate (e.g. if php sessions are used for handling the session, the session initialization process should look for session info in the DB BEFORE sending user to log in, in case the user logged in to some other HAPI compliant app that does not use php sessions) ------------------------- Application Registration ------------------------- HAPI Applications may register one or more functions in the HAPI_registration table. The table has the following fields: application functionName description URL accessLevel The URL is the URL user may go to to do the function. The accesssLevel is the highest level a user may have in order to use the function (a 0 would mean only administrators could use, etc) NOTE: many applications will only support one user level (administrator) and one registered function (administrate). ---------------------------------------- Things I'd like to address in the future ---------------------------------------- Spec for the authentication module. That way applications can know what they can depend on recieving from a HAPI compliant authentication module, making these modules interchangable. HAPI user administration and application registration tools page elements: The HAPI spec could specify guidelines for presenting application-generated content to users in a web application templating system. Something like: HAPI application provides a method for generating page content, and documents the parameters to this method and a template for formatting the method's returned content. Incorporating this element into an existing page would involve editing the template for look and feel, then calling the method from in your page.