Using DENY is handy for stuff like enforcing not being able to "like" your
own posts.
On Tuesday, March 6, 2012 4:50:30 AM UTC-5, Daniel Nouri wrote:
>
> On Tue, Mar 6, 2012 at 2:24 AM, Mike Orr <sluggos...@gmail.com> wrote:
> > OK. Any tips for attaching an ACL to them? Especially in the case
> > where permissions are record-specific. For instance, I have a
> > situation where one group can view and edit all records, another group
> > can only view, a third set of users (not a group) can view/edit only
> > this record or a few records, and a fourth set of users can view this
> > record or a few records but not edit them. Would I just specify:
> >
> > [(ALLOW, "g:manager1", "view"),
> > (ALLOW, "g:manager1", "edit"),
> > (ALLOW, "g:manager2", "view"),
> > (ALLOW, "user1", "view"), #... user2, user3 ...
> > (ALLOW, "user1", edit"), # ... user2, user3...
> > (ALLOW, "user4", "view), # ... user5, user6..
> > ].
>
> For those groups (and users) that have permissions globally ("can
> view/edit all records"), you can put the entries at the root. With
> the standard ACLAuthorizationPolicy, it'll get inherited down the
> traversal path to all children records:
>
> root.__acl__ = [
> (ALLOW, "g:manager1", "view"),
> (ALLOW, "g:manager1", "edit"),
> (ALLOW, "g:manager2", "view"),
> ]
>
> The entries that control access to individual records are attached to
> exactly those instances:
>
> bobsfolder.__acl__ = [(ALLOW, "bob", ("view", "edit"))]
>
> > How do these interact with the permission arg in the view
> > configuration, and with the strings coming from the authenticator?
>
> The authenticator will provide user and group names like "bob" and
> "g:manager2". The view permissions correspond to "view" and "edit"
> here.
>
> > What does a DENY element mean, and how does it interact with the view
> > config? Does ALLOW mean this permission string is included, and deny
> > means it's excluded? So the permission arg causes a check whether that
> > string is excluded? Why would you need DENY at all then if the default
> > is deny?
>
> I haven't ever used DENY, but I suppose it's useful for when you want
> to take away permissions down the path. Imagine if Bob wanted his
> home folder not to be readable by "g:manager2", he could use a "deny"
> ACE to block the inheritance.
>
>
> --
> http://danielnouri.org
>
>
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/pylons-discuss/-/WmmuGvvu-d0J.
To post to this group, send email to pylons-discuss@googlegroups.com.
To unsubscribe from this group, send email to
pylons-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
