[web2py] Re: Advice on structuring my app
Hi, here is my solution: There are some abstract *actions *like view/edit/delete/upload/download and so on There are the *roles *that define combinations of the actions - it's the table that has 'value' bit field - each bit corresponds to the action There are the *groups *and two symmetric relation tables: *user_group_role , object_group_role *, object means anything on which could be performed the actions Now, the set of allowed actions on the object for the user could be calculated: - find `intersection` (common) groups of *user *and *object *(inner join on group) * - *logical sum up role.value (bitwise aggregate OR) for *user_group_role *and for *object_group_role **= user_sum_role, object_sum_role * *allowed_actions_set* = *user_sum_role *AND *object_sum_role *(bitwise AND) for example: user has membership in orgA with role 'super', but orgA has only 'read' role on the *object - * 'super' will be trimmed to 'read'... but if user also has membership under 'super' in another group which has 'super' against the object too, role_action_set won't be trimmed On Tuesday, January 17, 2017 at 7:59:27 PM UTC+3, Leonel Câmara wrote: > > I'm in the process of turning an application that was used by a single > organization into one that will be used by many, I'm using regular Auth and > auth groups to manage which users can do what according to what groups they > have memberships on. > > The first problem I'm facing is that the users that belong to a given > auth_group will now only belong to that group in a given organization, > which I guess would also be a problem with regular auth functions. > > Another problem is that I want the organizations to be able to share some > of their data with another organization. > > So, right now, I'm considering what would be the best architecture for the > application. > > One idea would be to store the organization the user is currently browsing > with (no reason to limit that one user can only belong to one organization) > in session, then I would have to check in each controller if the user has > the right group and organization for what he wants to do, this would > pollute my code somehow. > > Another idea is for each organization to become a group, then what I use > groups for right now will be permissions, this is probably the best route. > This would still leave the problem of making the user see the right data > depending on which organization he is currently browsing with. > > Any advice on how to do this as cleanly as possible in terms of code? > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Advice on structuring my app
Yes a user can be a member of several organizations which needs to approve him and decide on what permissions the user will have, each organization is managed by users with admin powers within that organization. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Advice on structuring my app
Can a user be a member of several organizations ? Who is managing organizations? How somebody get to be a member of an organization ? With very little information available I would have an organization table and each newly registered user will get his own organization and will be his organization's admin. Each organization will have an invitation table in which the admin can invite other users by sending them an invitation mail. Invited user will get a mail with a link to join the organization. Clicking the link will activate a controller that add the user to a organization membership table. In the invitation table the admin can also set permissions for each invited user. This way the admin can also revoke an invited user. All organization's data will be protected by common filter but shared data will not. Hope it is helpful to some If yes then you should have On Tuesday, January 17, 2017 at 8:21:08 PM UTC+1, Jim S wrote: > > I think you could accomplish that with the _common_filter. That is what I > did on the app where I used it and it worked well. > > -Jim > > On Tuesday, January 17, 2017 at 11:33:02 AM UTC-6, Leonel Câmara wrote: >> >> I'm not sure I want to restrict each organization to a single domain yet. >> But yes it's a possibility, I don't need to necessarily use the domain name >> to do the filtering. Although I would also like them to be able to >> optionally share some data among them so I would also need to solve that >> problem. >> >> So basically, be able to do multitenancy within a single domain or with >> organizations being able to have more than one domain and sharing. >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Advice on structuring my app
I think you could accomplish that with the _common_filter. That is what I did on the app where I used it and it worked well. -Jim On Tuesday, January 17, 2017 at 11:33:02 AM UTC-6, Leonel Câmara wrote: > > I'm not sure I want to restrict each organization to a single domain yet. > But yes it's a possibility, I don't need to necessarily use the domain name > to do the filtering. Although I would also like them to be able to > optionally share some data among them so I would also need to solve that > problem. > > So basically, be able to do multitenancy within a single domain or with > organizations being able to have more than one domain and sharing. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Advice on structuring my app
I'm not sure I want to restrict each organization to a single domain yet. But yes it's a possibility, I don't need to necessarily use the domain name to do the filtering. Although I would also like them to be able to optionally share some data among them so I would also need to solve that problem. So basically, be able to do multitenancy within a single domain or with organizations being able to have more than one domain and sharing. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Advice on structuring my app
Is there a reason why the Multi-tenancy or Common Filters wouldn't work? http://web2py.com/books/default/chapter/29/06/the-database-abstraction-layer#Common-fields-and-multi-tenancy I've used common filters in the past with success. -Jim On Tuesday, January 17, 2017 at 10:59:27 AM UTC-6, Leonel Câmara wrote: > > I'm in the process of turning an application that was used by a single > organization into one that will be used by many, I'm using regular Auth and > auth groups to manage which users can do what according to what groups they > have memberships on. > > The first problem I'm facing is that the users that belong to a given > auth_group will now only belong to that group in a given organization, > which I guess would also be a problem with regular auth functions. > > Another problem is that I want the organizations to be able to share some > of their data with another organization. > > So, right now, I'm considering what would be the best architecture for the > application. > > One idea would be to store the organization the user is currently browsing > with (no reason to limit that one user can only belong to one organization) > in session, then I would have to check in each controller if the user has > the right group and organization for what he wants to do, this would > pollute my code somehow. > > Another idea is for each organization to become a group, then what I use > groups for right now will be permissions, this is probably the best route. > This would still leave the problem of making the user see the right data > depending on which organization he is currently browsing with. > > Any advice on how to do this as cleanly as possible in terms of code? > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
