You are correct on your assumptions, Its a many to many users to
accounts (a user can be attached to multiple accounts, an account can
have multiple users) and a one to one for accounts to the rest of the
objects (an object will never be attached to more than one account).
I am using URL Dispatch for my routing right now
On 11/10/2011 02:54 PM, Joe Dallago wrote:
So just to clarify here, we have a many-to-many between Users and
Accounts, and a one to one between Accounts and RandomObjects. If
this is true than there are a few things wrong with your models.
1) Only one relationship call is necessary for a many-to-many, b/c the
backref will take care of the member variable on the second class.
2) You mentioned "access to RandomObjects that are attached to an
account", so this leads me to believe that you really mean that each
account will have multiple RandomObjects, so the uselist param is
unnecessary as it is a one-to-many or many-to-one, can't tell b/c you
didn't mentioned where the ForeignKeys are.
I think we need to know those things before we can solve your
problem. Either way, this case should be very doable via traversal
authorization.
On Thu, Nov 10, 2011 at 2:39 PM, John Anderson <son...@gmail.com
<mailto:son...@gmail.com>> wrote:
I'm looking to secure my system at an object level and some of the
docs on how to do it weren't very clear to me.
I have 2 scenarios:
1. Accounts vs User, for me every user is attached to an
"Account", the account is where the billing information is at and
all the objects are attached to it rather a User.
So my urls look like /<account_id>/<object>/<id>
So I need some way to deny their access if they aren't part of the
account.
More concrete example:
class Account(Base):
company_name = Column(Unicode(80), unique=True, nullable=False)
users = relation('User', secondary=account_member_table,
backref='account')
class User(Base):
username = Column(Unicode(50), unique=True)
accounts = relation('Account', secondary=account_member_table,
backref='user')
class RandomObject(Base):
account = relation('Account',
uselist=False,
backref='RandomObject')
So I want to make sure User only has access to RandomObjects that
are attached to an account hes a member of.
2. The second scenario are things that are specifically owned by a
certain User (their profile for instance).
Basically the same problem with the account but for objects owned
by a specific user.
--
You received this message because you are subscribed to the Google
Groups "pylons-discuss" group.
To post to this group, send email to
pylons-discuss@googlegroups.com
<mailto:pylons-discuss@googlegroups.com>.
To unsubscribe from this group, send email to
pylons-discuss+unsubscr...@googlegroups.com
<mailto:pylons-discuss%2bunsubscr...@googlegroups.com>.
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
--
You received this message because you are subscribed to the Google
Groups "pylons-discuss" group.
To post to this group, send email to pylons-discuss@googlegroups.com.
To unsubscribe from this group, send email to
pylons-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to pylons-discuss@googlegroups.com.
To unsubscribe from this group, send email to
pylons-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.