I don't think web2py supports this currently, but I think you are on the right track.
I think what I would suggest is an extension to auth.add_permission. Something like auth.add_permission(group.id, 'name', 'object', record_id, 'column_name', state_bool) where column_name is the name of the table column(field) and NULL or unspecified equals all columns; and where state_bool is any expression returning a boolean value such that a "true" value means the permission is active, and a "false" value means it is not (e.g. db.articles.published == true; or time.now - db.articles.date > 30 days) and NULL or unspecified equals all/any states. Of course this would also require respective extensions to auth.has_permission. On Oct 26, 1:17 pm, Richard Vézina <ml.richard.vez...@gmail.com> wrote: > I just read the doc... Not sure what I suggest is possible... According to > the doc it would need something like this to work: > > auth.has_permission(group_id, 'read', 'table123', field123 == 'something') > > This would lead to check if a user as the permission read on table123 when > field123 has the value something... > > It would be great if it is possible... > > Richard > > On Wed, Oct 26, 2011 at 2:03 PM, Richard Vézina <ml.richard.vez...@gmail.com > > > > > > > > > wrote: > > And why the object could not be a query that can return a list of records > > having the state you are looking for?? > > > Richard > > > On Mon, Oct 24, 2011 at 8:25 PM, Triquetra < > > trique...@triquetradevelopment.com> wrote: > > >> No, I don't think this helps, unless I'm misunderstanding something > >> (which is possible). > > >> When using "auth.add_permission(group_id, 'name', 'object', > >> record_id)" the CRUD permissions are only enforced if the object is a > >> table (according to the book). So, even assuming one could pass a > >> column as the object (to enable field based access control), the > >> web2py access system will not automatically enforce CRUD permissions > >> on this object (like it would with tables or records). This level of > >> access control would require additional manual enforcement in the > >> controllers. > > >> This doesn't help with state based permissions either. The issue here > >> is that permissions may change depending upon the state of the > >> object. Workflows are a good example. If A is in group author and E > >> is in group editor, a workflow may demand that A has full CRUD rights > >> until the article is submitted for editing, then A only has read > >> rights over the SAME record and editor group gets read and update > >> rights only after submission of the article for editing. Same record, > >> same groups, same users -- different permissions based on the state of > >> the record (which could be indicated by the content of a field). > > >> > On Friday, October 21, 2011 3:54:26 PM UTC-4, Triquetra wrote: > > >> > > I'd like to see > >> > > web2py's access control beefed up (thus permitting easy development of > >> > > workflows, among other things). Specifically, the current web2py RBAC > >> > > has two levels of granularity: table and record (row). This should be > > >> > extended to include field(column), type(controller), and > > >> > > context(state). > > >> > auth.add_permission(group_id, 'name', 'object', record_id) > > >> > In the above, 'object' can be any user-defined object, not just a DB > >> table > >> > (record_id is only relevant if the object is a table). Does that help? > > >> > > Although the type(controller) access control is currently implemented > >> > > via decorators in web2py, this is restricted to coders. > > >> > You don't have to use decorators. You can directly check for permissions > >> via > >> > auth.has_membership() and auth.has_permission().
