Here's an approach that's worked for me.
First, I implement a root factory with a group_finder method.
Something like this:
class RootFactory(object):
__acl__ = [
(Allow, Everyone, 'view'),
]
def group_finder(self, userid):
return []
This is registered with the configuration as the default factory. I
specify a callback for my authentication policy that delegates the
group_finder to the current context.
def group_finder(userid, request):
return request.context.group_finder(user_id)
...
authn_policy = AuthTktAuthenticationPolicy(
'sosecret', callback=group_finder)
By default, this calls the RootFactory group_finder which assigns no
additional roles roles/groups.
For specific routes I add factories to load the appropriate task
instance. Since the group_finder is context aware it calls the
group_finder method of the task object.
My ACLs are defined at class level in the model
__acl__ = [
( Allow, 'group:owner', 'edit')
]
def group_finder(self, user_id):
if user_id == self.owner_id:
return ['group:owner']
else:
return []
You can check the groups of a user by calling the group_finder method
of an instance.
Writing this, it might make sense to have a mix-in class which
implements a default group_finder and has_group method which you could
throw into your models.
This approach has worked for me, but I doubt it's ideal. I'd love to
see more detail on instance level authorization added to the
documentation.
Brian
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
