Hi Tres
I was hoping to declare the local role equivalent at the class level,
but following from what you said
I have a class declaration for "site_manager" and persist
a user/owner declaration on the object at creation time ?
Then when I retrieve the entity from the app engine datastore
have a __acl__ property accessor which
then merges the class declaration with the persisted addition
definition of ower.
Does that sound like an appropriate approach?
T
On Tue, Feb 16, 2010 at 6:36 AM, Tres Seaver <tsea...@palladion.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tim Hoffman wrote:
>> Hi Chris.
>>
>> I have been rereading the ACL's for repoze.bfg and am having trouble
>> getting my head bits of it.
>>
>> I could easily use repoze.bfg for this project, though I really don't
>> need all of bfg in this instance,so was
>> seeing if I could get by with just bobo and repoze.what (oh and I was
>> hoping to leverage of the openid
>> and various other authent plugins for repoze.who).
>>
>> But ignoring authentication for the moment.
>>
>> Can you give me hint on the approach I would take becuase in my example
>> If I wanted an ACL on the persistent model as per my original it would
>> be declared something like the following.
>>
>> (I am ignoring creation for the moment.) The goal is only the owner of
>> a particular entity
>> or a user with the site_manager role can edit it. And I won't know
>> someone is owner until I have the
>> object. I assuming you would have a sort of transient group "owner"
>> and someone would only be
>> in it if they are the owner ?
>>
>> The I could declare the owner permssion etc,.. as follows
>>
>> from repoze.bfg.security import Allow
>>
>> __acl__ = [
>> (Allow, Everyone, 'view'),
>> (Allow, 'group:owner', 'edit'),
>> (Allow, 'group:site_managers', 'edit'),
>> ]
>
> Why would the group be called 'owner'? Group memberships are "global",
> not local. Most likely you wouldn't use a group for the owner[ bits at
> all, but just have the ACL name the user's with what in Zope you would
> call the "owner[ local role". E.g.:
>
> from repoze.bfg.security import Allow
>
> __acl__ = [
> (Allow, Everyone, 'view'),
> (Allow, 'phred', 'edit'),
> (Allow, 'group:site_managers', 'edit'),
> ]
>
> If more than one user can be the owner ("have the owner local role", in
> Z2-speak), then just add an ACE for each blessed user.
>
>
> Tres.
> - --
> ===================================================================
> Tres Seaver +1 540-429-0999 tsea...@palladion.com
> Palladion Software "Excellence by Design" http://palladion.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkt5zGkACgkQ+gerLs4ltQ6E/gCfQfbCZ7we/3KkPgCGF4i+KdoG
> fLAAnRgIqwP0RziwGloFLfeVv3DlpIaK
> =0sko
> -----END PGP SIGNATURE-----
>
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
