Using DENY is handy for stuff like enforcing not being able to "like" your own posts.
On Tuesday, March 6, 2012 4:50:30 AM UTC-5, Daniel Nouri wrote: > > On Tue, Mar 6, 2012 at 2:24 AM, Mike Orr <sluggos...@gmail.com> wrote: > > OK. Any tips for attaching an ACL to them? Especially in the case > > where permissions are record-specific. For instance, I have a > > situation where one group can view and edit all records, another group > > can only view, a third set of users (not a group) can view/edit only > > this record or a few records, and a fourth set of users can view this > > record or a few records but not edit them. Would I just specify: > > > > [(ALLOW, "g:manager1", "view"), > > (ALLOW, "g:manager1", "edit"), > > (ALLOW, "g:manager2", "view"), > > (ALLOW, "user1", "view"), #... user2, user3 ... > > (ALLOW, "user1", edit"), # ... user2, user3... > > (ALLOW, "user4", "view), # ... user5, user6.. > > ]. > > For those groups (and users) that have permissions globally ("can > view/edit all records"), you can put the entries at the root. With > the standard ACLAuthorizationPolicy, it'll get inherited down the > traversal path to all children records: > > root.__acl__ = [ > (ALLOW, "g:manager1", "view"), > (ALLOW, "g:manager1", "edit"), > (ALLOW, "g:manager2", "view"), > ] > > The entries that control access to individual records are attached to > exactly those instances: > > bobsfolder.__acl__ = [(ALLOW, "bob", ("view", "edit"))] > > > How do these interact with the permission arg in the view > > configuration, and with the strings coming from the authenticator? > > The authenticator will provide user and group names like "bob" and > "g:manager2". The view permissions correspond to "view" and "edit" > here. > > > What does a DENY element mean, and how does it interact with the view > > config? Does ALLOW mean this permission string is included, and deny > > means it's excluded? So the permission arg causes a check whether that > > string is excluded? Why would you need DENY at all then if the default > > is deny? > > I haven't ever used DENY, but I suppose it's useful for when you want > to take away permissions down the path. Imagine if Bob wanted his > home folder not to be readable by "g:manager2", he could use a "deny" > ACE to block the inheritance. > > > -- > http://danielnouri.org > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To view this discussion on the web visit https://groups.google.com/d/msg/pylons-discuss/-/WmmuGvvu-d0J. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.