On Tue, Mar 6, 2012 at 2:24 AM, Mike Orr <sluggos...@gmail.com> wrote:
> OK. Any tips for attaching an ACL to them? Especially in the case
> where permissions are record-specific. For instance, I have a
> situation where one group can view and edit all records, another group
> can only view, a third set of users (not a group) can view/edit only
> this record or a few records, and a fourth set of users can view this
> record or a few records but not edit them. Would I just specify:
>
> [(ALLOW, "g:manager1", "view"),
> (ALLOW, "g:manager1", "edit"),
> (ALLOW, "g:manager2", "view"),
> (ALLOW, "user1", "view"), #... user2, user3 ...
> (ALLOW, "user1", edit"), # ... user2, user3...
> (ALLOW, "user4", "view), # ... user5, user6..
> ].
For those groups (and users) that have permissions globally ("can
view/edit all records"), you can put the entries at the root. With
the standard ACLAuthorizationPolicy, it'll get inherited down the
traversal path to all children records:
root.__acl__ = [
(ALLOW, "g:manager1", "view"),
(ALLOW, "g:manager1", "edit"),
(ALLOW, "g:manager2", "view"),
]
The entries that control access to individual records are attached to
exactly those instances:
bobsfolder.__acl__ = [(ALLOW, "bob", ("view", "edit"))]
> How do these interact with the permission arg in the view
> configuration, and with the strings coming from the authenticator?
The authenticator will provide user and group names like "bob" and
"g:manager2". The view permissions correspond to "view" and "edit"
here.
> What does a DENY element mean, and how does it interact with the view
> config? Does ALLOW mean this permission string is included, and deny
> means it's excluded? So the permission arg causes a check whether that
> string is excluded? Why would you need DENY at all then if the default
> is deny?
I haven't ever used DENY, but I suppose it's useful for when you want
to take away permissions down the path. Imagine if Bob wanted his
home folder not to be readable by "g:manager2", he could use a "deny"
ACE to block the inheritance.
--
http://danielnouri.org
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to pylons-discuss@googlegroups.com.
To unsubscribe from this group, send email to
pylons-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
