Hi all, I'm trying to work out how I should add security to a web interface to a database. I'm using Pylons with SQLalchemy and have simple authentication working with AuthKit.
I haven't seen anyone talking about these issues; all the examples seem to indicate that security can be done simply on restricting method access. But a lot of the permission logic I am dealing with is quite complex, and also it would be nice to be able to reuse my model without the new interface having to reimplement the security. Within my model I have a layer of functions which perform operations on the basic model objects. My feeling is that pretty much all the security checks should go in this layer. However, this doesn't work since mapped objects are returned to the controller, which is free to modify them directly. There is also no way to restrict what attributes of an object the controller/view can access. What is the best practice here? Should the model functions return new (unmapped) objects with just the permissible attributes, rather than returning the mapped objects directly? Can anyone direct me to any useful documents? Thanks, Graham --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
