[web2py] Re: Contribution
I don't think web2py supports this currently, but I think you are on the right track. I think what I would suggest is an extension to auth.add_permission. Something like auth.add_permission(group.id, 'name', 'object', record_id, 'column_name', state_bool) where column_name is the name of the table column(field) and NULL or unspecified equals all columns; and where state_bool is any expression returning a boolean value such that a true value means the permission is active, and a false value means it is not (e.g. db.articles.published == true; or time.now - db.articles.date 30 days) and NULL or unspecified equals all/any states. Of course this would also require respective extensions to auth.has_permission. On Oct 26, 1:17 pm, Richard Vézina ml.richard.vez...@gmail.com wrote: I just read the doc... Not sure what I suggest is possible... According to the doc it would need something like this to work: auth.has_permission(group_id, 'read', 'table123', field123 == 'something') This would lead to check if a user as the permission read on table123 when field123 has the value something... It would be great if it is possible... Richard On Wed, Oct 26, 2011 at 2:03 PM, Richard Vézina ml.richard.vez...@gmail.com wrote: And why the object could not be a query that can return a list of records having the state you are looking for?? Richard On Mon, Oct 24, 2011 at 8:25 PM, Triquetra trique...@triquetradevelopment.com wrote: No, I don't think this helps, unless I'm misunderstanding something (which is possible). When using auth.add_permission(group_id, 'name', 'object', record_id) the CRUD permissions are only enforced if the object is a table (according to the book). So, even assuming one could pass a column as the object (to enable field based access control), the web2py access system will not automatically enforce CRUD permissions on this object (like it would with tables or records). This level of access control would require additional manual enforcement in the controllers. This doesn't help with state based permissions either. The issue here is that permissions may change depending upon the state of the object. Workflows are a good example. If A is in group author and E is in group editor, a workflow may demand that A has full CRUD rights until the article is submitted for editing, then A only has read rights over the SAME record and editor group gets read and update rights only after submission of the article for editing. Same record, same groups, same users -- different permissions based on the state of the record (which could be indicated by the content of a field). On Friday, October 21, 2011 3:54:26 PM UTC-4, Triquetra wrote: I'd like to see web2py's access control beefed up (thus permitting easy development of workflows, among other things). Specifically, the current web2py RBAC has two levels of granularity: table and record (row). This should be extended to include field(column), type(controller), and context(state). auth.add_permission(group_id, 'name', 'object', record_id) In the above, 'object' can be any user-defined object, not just a DB table (record_id is only relevant if the object is a table). Does that help? Although the type(controller) access control is currently implemented via decorators in web2py, this is restricted to coders. You don't have to use decorators. You can directly check for permissions via auth.has_membership() and auth.has_permission().
[web2py] Re: Contribution
I'm sure assistance with documentation would be appreciated by all! On Oct 26, 10:16 am, Hong-Khoan Quach hongkhoanqu...@googlemail.com wrote: I want to thank you all for your suggestions so far and please post further suggestions :). Massimo, Anthony or other contributors/committers, do you have anything on your TODO list ? Regards Hong-Khoan Am 21.10.2011 12:52, schrieb Hong-Khoan Quach: Hi there. We would like to contribute to web2py for a university open source practical course. Does anyone have an idea for an important/cool feature that we could propose to our supervisor? Furthermore, are there any low hanging fruits, we can start with? Regards Matteo and Hong-Khoan signature.asc 1KViewDownload
[web2py] Re: Contribution
No, I don't think this helps, unless I'm misunderstanding something (which is possible). When using auth.add_permission(group_id, 'name', 'object', record_id) the CRUD permissions are only enforced if the object is a table (according to the book). So, even assuming one could pass a column as the object (to enable field based access control), the web2py access system will not automatically enforce CRUD permissions on this object (like it would with tables or records). This level of access control would require additional manual enforcement in the controllers. This doesn't help with state based permissions either. The issue here is that permissions may change depending upon the state of the object. Workflows are a good example. If A is in group author and E is in group editor, a workflow may demand that A has full CRUD rights until the article is submitted for editing, then A only has read rights over the SAME record and editor group gets read and update rights only after submission of the article for editing. Same record, same groups, same users -- different permissions based on the state of the record (which could be indicated by the content of a field). On Friday, October 21, 2011 3:54:26 PM UTC-4, Triquetra wrote: I'd like to see web2py's access control beefed up (thus permitting easy development of workflows, among other things). Specifically, the current web2py RBAC has two levels of granularity: table and record (row). This should be extended to include field(column), type(controller), and context(state). auth.add_permission(group_id, 'name', 'object', record_id) In the above, 'object' can be any user-defined object, not just a DB table (record_id is only relevant if the object is a table). Does that help? Although the type(controller) access control is currently implemented via decorators in web2py, this is restricted to coders. You don't have to use decorators. You can directly check for permissions via auth.has_membership() and auth.has_permission().
[web2py] Re: Contribution
I think a standalone workflow system is too high level. Workflow type systems (among other things) can be more than adequately developed with robust access control mechanisms. I'd like to see web2py's access control beefed up (thus permitting easy development of workflows, among other things). Specifically, the current web2py RBAC has two levels of granularity: table and record (row). This should be extended to include field(column), type(controller), and context(state). The first is implemented in other RBAC systems (e.g. Drupal), but not in web2py (at least not that I can tell). The latter two are ideas borrowed from SELinux. If these were in place, then workflows could easily be implemented by, e.g. specifying different permissions for a given role for each context(state) of a record or table(record type). Although the type(controller) access control is currently implemented via decorators in web2py, this is restricted to coders. Providing an extra layer of abstraction to this mechanism would permit this level of access control to be manipulated by users (eg. non-coder site managers). On Oct 21, 7:55 am, António Ramos ramstei...@gmail.com wrote: May i suggest a workflow framework in web2py? Django has one I want one :( 2011/10/21 Hong-Khoan Quach hongkhoanqu...@googlemail.com Hi there. We would like to contribute to web2py for a university open source practical course. Does anyone have an idea for an important/cool feature that we could propose to our supervisor? Furthermore, are there any low hanging fruits, we can start with? Regards Matteo and Hong-Khoan
[web2py] Pyramid on Web2py
See http://web2pyramid.pylonsproject.org/ There is very little information about this on the net. The link on the site just points to the pylons project on github. Is this legitimate? or is this just an attempt to divert web2py traffic to pylons/pyramid?
Re: [web2py] Re: cas_auth.py
I'm having this same issue using cas_auth. I'm running my own CAS appliance. My applications successfully redirects to CAS on login, but not on registration. When I try to login, I get an invalid login error, I presume because the registration was never entered into CAS, but only in the local application. Has this been fixed?
[web2py] Re: uWSGI examples page updated for web2py
I read the example with great interest, but I don't understand why 3 Web2Py instances, one XML configuration is better than multiple configuration files. I'm not saying it's not better, I just really don't understand it. It would seem that either way, one still has 3 uwsgi instances and 3 web2py instances. Could you please explain why this is useful? On Aug 26, 11:32 pm, Roberto De Ioris robe...@unbit.it wrote: Hi all, we have added a section in our examples wiki page for web2py: http://projects.unbit.it/uwsgi/wiki/Example I hope this can be useful -- Roberto De Iorishttp://unbit.it JID: robe...@jabber.unbit.it
[web2py] Re: remote admin access errors
Thank you for the quick reply. I'm not sure how to check whether uwsgi is setting the wsgi_url_scheme. A quick search of this group and the uwsgi wiki provided no direction. How can I check this? On Oct 22, 11:36 pm, mdipierro mdipie...@cs.depaul.edu wrote: Look into admin/models/access.py This is how web2[y checks if request.env.http_x_forwarded_for \ or request.env.wsgi_url_scheme in ['https', 'HTTPS'] \ or request.env.https == 'on': session.secure() elif not remote_addr in hosts and not DEMO_MODE: raise HTTP(200, T('Admin is disabled because insecure channel')) is uwsgi not setting wsgi_url_scheme? On Oct 22, 10:33 pm, Triquetra da...@legacyplanningadvocates.com wrote: I am running web2py (1.86.2) on Debian Lenny with Nginx and uwsgi. This is a local test server that I have physical access to. I can access the welcome and admin pages from the server (localhost), so it appears the admin interface is working. And I can access the welcome app from other computers on the network, so it looks like nginx and uwsgi is properly serving web2py to the network. And I can access the welcome app throughhttps://192.168.0.189/welcome/default/index, so it looks like nginx is properly serving ssl pages. But I am unable to access the admin page remotely from another computer on the network. I get the error Admin is disabled because insecure channel. I don't understand why since it seems that ssl is working properly. Does anyone have an idea what this could be?
[web2py] Re: remote admin access errors
Thank you, that worked. I also had to create a symbolic link (parameters_443.py) pointing to the password file (parameters_8000.py) in order to get rid of the unable to access password file error. On Oct 23, 12:44 pm, Roberto De Ioris robe...@unbit.it wrote: Thank you for the quick reply. I'm not sure how to check whether uwsgi is setting the wsgi_url_scheme. A quick search of this group and the uwsgi wiki provided no direction. How can I check this? There are two (very old) threads on the official uWSGI list about https and scheme. uWSGI supports setting the scheme in two way, via the (non-standard) UWSGI_SCHEME var or via the standard HTTPS cgi variable. I suggest you to add the UWSGI_SCHEME var to uwsgi_params configuration: UWSGI_SCHEME $scheme; -- Roberto De Iorishttp://unbit.it
[web2py] remote admin access errors
I am running web2py (1.86.2) on Debian Lenny with Nginx and uwsgi. This is a local test server that I have physical access to. I can access the welcome and admin pages from the server (localhost), so it appears the admin interface is working. And I can access the welcome app from other computers on the network, so it looks like nginx and uwsgi is properly serving web2py to the network. And I can access the welcome app through https://192.168.0.189/welcome/default/index, so it looks like nginx is properly serving ssl pages. But I am unable to access the admin page remotely from another computer on the network. I get the error Admin is disabled because insecure channel. I don't understand why since it seems that ssl is working properly. Does anyone have an idea what this could be?