On Thursday October 30, 2008 14:33:28 Lukasz Szybalski wrote: > The use case would be a authorize sqlalchemy action somewhere between > controller and sqlalchemy. > The usage would look like: > > 1. My app would run under one username that connects to database. > 2. Multiple users with different permissions are set in > identity/authorize/authenticate (not sure what you guys call it now) > (the new identity?).
If you talk about users and their credentials, you're talking about authentication (in TG2, repoze.who deals with authentication). If you talk about what the users may do, you're talking about authorization (in TG2, tgext.authorization deals with authorization). Here's a better explanation: http://turbogears.org/2.0/docs/main/Auth.html > 3. If user is a manager he can change table "accounting" but if the > users is "clerk" he should not be able to save changes but be able to > view. > 4. If user system he can change "companymoneytotal", if he is a > manager he should be able to view table "companymoneytotals" but > should not be able to change it, if user is "clerk" he should not be > able to view that table. > > That is the pretty much it. It seems simple but not sure how one can > do that kind of control in tg2/sqlalchemy right now? You can only control authorization in your controllers, not in your model. And I think it should be kept this way, since authentication/authorization should only be present in the application's logic, not in its model. If you have an action controller that inserts/updates/deletes records, then you should just kept it away from users with read-only rights. However, if you really want to do it in the model, then you may: 1.- Create a SQLAlchemy type (http://www.sqlalchemy.org/docs/05/types.html) which refuses to modify rows if the user has read-only rights. 2.- Then subclass the SQLAlchemy session so that it refuses to insert and delete records if the user has read-only rights. HTH. -- Gustavo Narea <http://gustavonarea.net/>. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
