Hello, ZEO already supports authenticated logins. Based on the login I'd like people to be able to access some objects and deny access to others.
First I thought I'd do the access restrictions on the application level. This doesn't seem to be too easy though, because a user might have access to an object, but accessing one of its sub-objects might be disallowed. Checking this everywhere seems hard, error-prone and potentially slow. So I wondered whether it might be possible to integrate this directly into ZEO. E.g. by subclassing ZEOStorage and hooking methods like loadEx/loadBefore/deleteObject/store. Each object and each user would have something like a permission_id attribute. Then one could write something like class AccessRestrictedZEOStorage(ZEOStorage): def loadEx(self, oid): obj = ZEOStorage.load( self, oid ) # get user here somehow return self.checkAccess( obj, user, 'read' ) def checkAccess(self, obj, user, access): # this check can be more sophisticated, check for read/write/delete rights etc if user.permission_id < obj.permission_id: raise AccessDeniedError() Is something like this viable? Does it make sense at all or is it still better to restrict access on the application level? -Matthias _______________________________________________ For more information about ZODB, see the ZODB Wiki: http://www.zope.org/Wikis/ZODB/ ZODB-Dev mailing list - ZODB-Dev@zope.org https://mail.zope.org/mailman/listinfo/zodb-dev