Hi Chris
Yeah , after Tres repose, and thinking further on the abstractions I
thinking along simliar lines, sort of collapsing the notion of a role
and permission together.
Thanks for the input. I am pretty sure this is the path I will take.
It seems to play nicer with what I am trying to achieve than
repoze.what predicates which seem to not suit context evaluation.
I will get my uml -> python generator to spit out routes and bfg views
and think about how I want to annotate the model
to support the acl declerations.
Thanks everyone for the input.
T
On Tue, Feb 16, 2010 at 9:07 PM, Chris McDonough <chr...@plope.com> wrote:
> You might choose to not have a special owner principal if you're already
> generating the __acl__ via a property. Instead, you might just think of
> "owner" as a set of permission names, and generate "the right" ACL.
>
> For instance, if you store a set of owner names as the "owners" attribute of
> a model (when the model is created or modified):
>
> >>> model.owners
> ['tim', 'chris']
>
> And you have, somewhere in your code, something like the following:
>
> OWNER_PERMISSIONS = ('read', 'write', 'delete')
>
> Something like this can be done in your __acl__ property:
>
> acl = []
> for owner in self.owners:
> acl.append((Allow, owner, OWNER_PERMISSIONS))
> ... other mutations to the acl ...
> return acl
>
> Then if you need to show the owners in the UI, use model.owners, and don't
> try to imply any ownership info from the ACL itself.
>
>
> On 2/15/10 6:52 PM, Tim Hoffman wrote:
>>
>> Hi
>>
>> I could at the very least evaluate the Owner special principal
>> into the real owner, when I provide the __acl__ registration via the
>> property accessor
>>
>> Most of the project is defined in a uml model and the code is being
>> generated. So
>> declaring the permissions where possible in the model means I need to use
>> abstractions representing things like Owner in the model
>>
>> T
>>
>> On Tue, Feb 16, 2010 at 7:49 AM, Tim Hoffman<zutes...@gmail.com> wrote:
>>>
>>> HI Tres
>>>
>>> The last thing I would love to be able to do would be to declare the
>>> permissions
>>> at the class level
>>>
>>> as in
>>>
>>> (Allow, Owner, "edit")
>>>
>>> And have a Owner a special principal like Everyone,
>>> that allows me to declare the permission. But only evaluates "owner"
>>> when the permission is checked
>>>
>>> Do you think that could work, I haven't worked out how I could
>>> implement that though.
>>>
>>> T
>>>
>>> On Tue, Feb 16, 2010 at 7:24 AM, Tres Seaver<tsea...@palladion.com>
>>> wrote:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Tim Hoffman wrote:
>>>>
>>>>> I was hoping to declare the local role equivalent at the class level,
>>>>> but following from what you said
>>>>>
>>>>> I have a class declaration for "site_manager" and persist
>>>>> a user/owner declaration on the object at creation time ?
>>>>>
>>>>> Then when I retrieve the entity from the app engine datastore
>>>>> have a __acl__ property accessor which
>>>>> then merges the class declaration with the persisted addition
>>>>> definition of ower.
>>>>>
>>>>> Does that sound like an appropriate approach?
>>>>
>>>> That sounds like it would work, yes.
>>>>
>>>>
>>>> Tres.
>>>> - --
>>>> ===================================================================
>>>> Tres Seaver +1 540-429-0999 tsea...@palladion.com
>>>> Palladion Software "Excellence by Design" http://palladion.com
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>>
>>>> iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL
>>>> izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h
>>>> =ruoG
>>>> -----END PGP SIGNATURE-----
>>>>
>>>
>> _______________________________________________
>> Repoze-dev mailing list
>> Repoze-dev@lists.repoze.org
>> http://lists.repoze.org/listinfo/repoze-dev
>>
>
>
> --
> Chris McDonough
> Agendaless Consulting, Fredericksburg VA
> The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book
>
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
