On Thu, Oct 30, 2008 at 7:33 AM, Lukasz Szybalski <[EMAIL PROTECTED]> wrote: > > On Wed, Oct 29, 2008 at 11:42 PM, Mark Ramm <[EMAIL PROTECTED]> wrote: >> >>>> 3. sqlalchemy save certain tables if you have x permissions >> >> It is completely possible to rebind the SQLAlchemy metadata on each >> request so that you actually connect to the database as a specific >> user based on the REMOTE_USER that is set by repoze.who. This would >> allow you to protect data at the database level, or to redirect >> certian classes of users to different back-end databases for load >> management. We intentionally designed things to allow this, but we >> also intentionally left writing the explicit rules for doing this to >> users, as it's not something that 90% of applications ever need. >> >> But perhaps you're wondering if we tap into SQLAlchemy somewhere >> between the controller level and the database level, and if that's the >> question no we don't. I don't exactly think we will do that in quite >> that way, but I do think it would be interesting and useful to be able >> to provide some helpers that make it very easy to write authorization >> rules that do "row-level" (really SA object level) authorization >> checks in the controller. >> >> If you have a specific use case in mind, please feel free to raise it >> and we'll see how to best fill that need. > > > The use case would be a authorize sqlalchemy action somewhere between > controller and sqlalchemy. > The usage would look like: > > 1. My app would run under one username that connects to database. then that means you need to do python logic for what you want. We though you where talking about reusing the DB users permissions, that should be harder, IMO a custom tg.authorization SQL plugin, + some changes at the SQLAlchemy layer to provide proper connections.
> 2. Multiple users with different permissions are set in > identity/authorize/authenticate (not sure what you guys call it now) > (the new identity?). tg.authority, as this is a "what someone can do" layer, repoze.who is "who are your" (authenticate) and identity used to be the old tg1 engine which was both, as an identity is both who you are and what you are. > 3. If user is a manager he can change table "accounting" but if the > users is "clerk" he should not be able to save changes but be able to > view. So you will have two permissions "accounting_view", "accounting_edit", manager will have both, cleck will have read. And then just check for that. The other way will be to write a custom auth decorator for that. They aren't complex take a look at http://svn.turbogears.org/projects/tgAuthorization/trunk/tgext/authorization/authorize.py > 4. If user system he can change "companymoneytotal", if he is a > manager he should be able to view table "companymoneytotals" but > should not be able to change it, if user is "clerk" he should not be > able to view that table. > that is a variation of #3. > > That is the pretty much it. It seems simple but not sure how one can > do that kind of control in tg2/sqlalchemy right now? > > Lucas > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
