On Nov 22, 2010, at 9:30 AM, Dan Ellis wrote:
I'd like to find some way to implement access controls on mapped
objects, with the following features:
* Example: given a BlogPost object, only the owner, or a superuser,
would be allowed to set fields such as title and body.
* Example: reading the body field would check the privacy field as
well as the current user, and only let the owner read a private field.
* The owner should be determined based on a configurable column name,
or as the result of a method call.
* The current user should be explicitly specified rather than coming
from some global state.
The intention is not to make unwanted operations impossible, but to
offer the programmer a degree of confidence that, so long as he uses
the object in a particular way, the security constraints he specifies
won't be violated, regardless of logic errors elsewhere (in a web
layer, typically).
It seems that one possible way to do this would be to use proxy
objects to access the real instances. Returning proxies doesn't seem
difficult (a mapper extension could do this if the mapped class
specifies it desires it). Interaction with the session might be
problematic, though, if all you have is proxy objects.
Does this seem to be the correct path to follow, or is there a better
approach?
I'm assuming the reason for proxy objects is so that usage would continue to
look like:
blogpost.body = new body
instead of
blogpost.set_body(user, new body)
?
So for that kind of thing, if you want certain operations to proceed under the
umbrella of some context, like who the current user is, Python context
managers are very neat for this.
with security_manager.user(some_user):
blogpost.body = new body
You'd normally use @property on your BlogPost object to intercept read/set
events, or the @validates decorator which catches only set events, to achieve
this. BlogPost could find the local context manager usually via thread local.
You could also use SessionExtension to disallowed changes to objects during
flush() or commit(), again using some thread local context.
That would be my version. If you want something a lot more elaborate and
formalized, there's Zope security proxies:
http://pypi.python.org/pypi/zope.security .SQLAlchemy mapped objects should
be able to be used directly with security proxies, however it requires
integration with the ORM, which we added a lot of hooks in order to help
someone achieve this about two years ago. I'm not sure if Zope has published
an SQLA integration layer with ZCP, however.
--
You received this message because you are subscribed to the Google Groups
sqlalchemy group.
To post to this group, send email to sqlalch...@googlegroups.com.
To unsubscribe from this group, send email to
sqlalchemy+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en.
--
You received this message because you are subscribed to the Google Groups
sqlalchemy group.
To post to this group, send email to sqlalch...@googlegroups.com.
To unsubscribe from this group, send email to
sqlalchemy+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en.