Hello, I'm trying to design my first pylons application with AuthKit. I went through some ressources and particulary this one that helped me understand how to integrate AuthKit in Pylons:
http://pylonshq.com/project/pylonshq/wiki/PylonsWithAuthKitDatabase But I'm trying to put down all the restriction levels I'll be faced with. There are three levels: - Authentication: This only tells if a user is valid in the system or not. - Authorization: This tells to which pages / parts of the application the user can access. Say the "Client" page (read), but also the actions, (create, edit, delete). - Data filtering: Sometimes, I need to filter the displayed data depending on the user. It's mostly about that last point where I'm not sure AuthKit can do it for me, but I'll ask anyway. In my situation, we have a "management plateform" to handle our clients and clients shops (and many other stuff). So on the "clients" page, we have a listing of all our clients. When one of the client is clicked, we get down to the client's shop listing. With the following scenario: client: foo - fooshop1 (Mr Foo) - fooshop2 (Mr Foo) - fooshop3 (Mrs Foo) client: bar - barshop1 (Mr Bar) I want to give access to shop managers of client "foo", but they'd only be able to list their owned shops. Lets create two users: "Mr Foo" and "Mrs Foo", both with a "shop manager" role and as "foo" client. So "Mr Foo" logs in and only sees client "foo", client "bar" is filtered out. Then clicks on foo and sees only his owned shops: "fooshop1" and "fooshop2". "Mrs Foo" would access client "foo", but lists "fooshop3" only. Same idea for user "Mr Bar", he wouldn't be able to browser into's client foo's branch, only client "bar". I guess this can not only be done with a validator at the controller or action level. from authkit.pylons_adaptors import authorize @authorize(RoleIn=["admin", "shop_manager"]) class ClientController(BaseController): def index(self): # do the client filtering / listing here c.client_list = .... return render_response("/client/index.mako") @authorize(RoleIn=["admin"]) def create(self, id): ... @authorize(RoleIn=["admin", "shop_manager"]) def update(self, id): ... @authorize(RoleIn=["admin"]) def delete(self, id): ... Any idea how people handle this ? It would be easy if user was actually the creator of the shops he owns (one-to-many). But we (admins) create the shop, and only give access to the user later. I guess it's turns out that it's more a design question rather than an AuthKit one, but I thought i'd give it a try and someone could light up my mind, maybe organizing my application differently. ps1: AFAIU, roles should be hardcoded. I guess you can't really create new roles in an application without modifying it's source code. ps2: it's unclear for me what the difference is between "roles" and "groups" in a user management system. Regards, -- Alexandre CONRAD --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
