Michael, Thank you,
The final solution has nothing to do with ACL's or addresses and security for others getting results by querying is a none issue. As mentioned before I am building a database and tools to help chemists selecting molecule structures. It is all way more complex than you might think since the "ACL" records have "ACL" records assosiated to them to. Setting up relations and queries is a total nightmare because almost all relations end up to be circular over multiple tables. controlling the eager loading where possible for convenience and where impossible has been a huge job although SQLAlchemy is a huge help. I only use this as a understandable data structure since I know how hard it was to understand the terminology. I do not want to bring that to this group and more importantly since I search the mailinglist myself a lot it can help others finding a solution to their needs. I find that the deeper I dive into SA, the less examples are available, the harder it is to test functionality and sometimes documentation gets more sparse. Thank you again... Martijn On Feb 8, 2011, at 4:21 PM, Michael Bayer wrote: > > On Feb 8, 2011, at 6:05 AM, Martijn Moeling wrote: > >> Michael, >> >> >> I took a look at the recipe you indicated, it looks promising but the check >> should be constructed from database results. Another issue is that this >> project is implemented in my web based desktop/Os which uses SQLAlchemy from >> the bottem up. So modifiing the session object globally is with a >> PreFilteredQuery is not a real option. Creating a session for this "program" >> only might be an option but I am not sure how that will turn out. > > Well a MapperExtension is also "global" to that class. Subclassing Query > with rules for a specific mapper is fairly easy to isolate to those use cases. > >> >> Being it a web based (and so Handle request and die), Persistence is (to me) >> not very usefull and I need to "reload" everything for every action. > > That is typical for a web application. > >> >> the @reconstructor hook seems too outdated. I moved to 0.6.6 last week, and >> only will upgrade to stable/production versions since in my case there is a >> lot to it. > > @reconstructor is a standard feature since 0.5 and continues to be. > >> >> I need to transparently add "being queried" functionality to mapped objects. >> This functionality is will be mixed in and should be able to limit the >> results when being queried. Since my class definitions are so complex I >> would like to make a (not functional) example on what I am in search of. and >> I will not bother you with chemistry stuff... >> >> >> user = ME, GROUPS = [Everyone] >> >> A query for Session.query(Persons).all() should NOT return Person.Id >> although Everyone says True, personal Permissions overrule group permissions >> , simple boolean operations. If no ACLs are found It all defaults to false >> or true not sure yet on how this will work on my real data model, since this >> will be the model on which atoms and molecule connections are "Allowed" >> >> If However the ACL's turn out that ME.MayRead = T, I will only get related >> addresses I actually may read. This should "work" automatically for each >> class with Mixedinstuff inherited.... >> >> This is whilst I do not want the "Users" of this model to be bothered with >> this, the should add data to their model and query to generate list of >> possible new molecules. >> >> I am some sort of clueless on how to do this properly >> >> the MapperExtention.append_result still seems the best way... >> >> if calculate_ACLs(Session = object_session(self), tablename = >> instance.__tablename__, TableId = instance.__=TableId__, CheckFor = ME, >> Right = "MayRead" ): >> EXT_CONTINUE >> else: >> EXT_STOP >> >> Dont you? > > I guess what you're expressing is that your ACL rules need to fire off using > Python code, not SQL expressions. The whole thing seems quite awkward to > me since there's nothing to stop someone from saying Query(MyACLObject.id, > MyACLObject.name, ...), etc., they get all the data from the ACL row anyway, > or similarly if they were to say Query(SomeClass, SomeOtherClass, > MyACLObject) using a join, again the append_result() hook isn't used. If > it were me I'd be using some filter function around query() in an explicit > sense to do it, but this is just a matter of style. The hook will work fine > if its limitations are OK with you. > > > -- > You received this message because you are subscribed to the Google Groups > "sqlalchemy" group. > To post to this group, send email to sqlalchemy@googlegroups.com. > To unsubscribe from this group, send email to > sqlalchemy+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/sqlalchemy?hl=en. > -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
