Hi Chris Yeah , after Tres repose, and thinking further on the abstractions I thinking along simliar lines, sort of collapsing the notion of a role and permission together.
Thanks for the input. I am pretty sure this is the path I will take. It seems to play nicer with what I am trying to achieve than repoze.what predicates which seem to not suit context evaluation. I will get my uml -> python generator to spit out routes and bfg views and think about how I want to annotate the model to support the acl declerations. Thanks everyone for the input. T On Tue, Feb 16, 2010 at 9:07 PM, Chris McDonough <chr...@plope.com> wrote: > You might choose to not have a special owner principal if you're already > generating the __acl__ via a property. Instead, you might just think of > "owner" as a set of permission names, and generate "the right" ACL. > > For instance, if you store a set of owner names as the "owners" attribute of > a model (when the model is created or modified): > > >>> model.owners > ['tim', 'chris'] > > And you have, somewhere in your code, something like the following: > > OWNER_PERMISSIONS = ('read', 'write', 'delete') > > Something like this can be done in your __acl__ property: > > acl = [] > for owner in self.owners: > acl.append((Allow, owner, OWNER_PERMISSIONS)) > ... other mutations to the acl ... > return acl > > Then if you need to show the owners in the UI, use model.owners, and don't > try to imply any ownership info from the ACL itself. > > > On 2/15/10 6:52 PM, Tim Hoffman wrote: >> >> Hi >> >> I could at the very least evaluate the Owner special principal >> into the real owner, when I provide the __acl__ registration via the >> property accessor >> >> Most of the project is defined in a uml model and the code is being >> generated. So >> declaring the permissions where possible in the model means I need to use >> abstractions representing things like Owner in the model >> >> T >> >> On Tue, Feb 16, 2010 at 7:49 AM, Tim Hoffman<zutes...@gmail.com> wrote: >>> >>> HI Tres >>> >>> The last thing I would love to be able to do would be to declare the >>> permissions >>> at the class level >>> >>> as in >>> >>> (Allow, Owner, "edit") >>> >>> And have a Owner a special principal like Everyone, >>> that allows me to declare the permission. But only evaluates "owner" >>> when the permission is checked >>> >>> Do you think that could work, I haven't worked out how I could >>> implement that though. >>> >>> T >>> >>> On Tue, Feb 16, 2010 at 7:24 AM, Tres Seaver<tsea...@palladion.com> >>> wrote: >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Tim Hoffman wrote: >>>> >>>>> I was hoping to declare the local role equivalent at the class level, >>>>> but following from what you said >>>>> >>>>> I have a class declaration for "site_manager" and persist >>>>> a user/owner declaration on the object at creation time ? >>>>> >>>>> Then when I retrieve the entity from the app engine datastore >>>>> have a __acl__ property accessor which >>>>> then merges the class declaration with the persisted addition >>>>> definition of ower. >>>>> >>>>> Does that sound like an appropriate approach? >>>> >>>> That sounds like it would work, yes. >>>> >>>> >>>> Tres. >>>> - -- >>>> =================================================================== >>>> Tres Seaver +1 540-429-0999 tsea...@palladion.com >>>> Palladion Software "Excellence by Design" http://palladion.com >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1.4.9 (GNU/Linux) >>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >>>> >>>> iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL >>>> izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h >>>> =ruoG >>>> -----END PGP SIGNATURE----- >>>> >>> >> _______________________________________________ >> Repoze-dev mailing list >> Repoze-dev@lists.repoze.org >> http://lists.repoze.org/listinfo/repoze-dev >> > > > -- > Chris McDonough > Agendaless Consulting, Fredericksburg VA > The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book > _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev