On Tue, Mar 13, 2012 at 11:52 PM, Mark <[email protected]> wrote:
> 1. Does the above scenario mean that EVERY time a brand is created in
> the system, I would have to generate for instance, "b1_create",
> "b1_read" .... "b1_delete", "b2_create", "b2_read", "b2_update" ...
> "b4_delete" permissions?
>
The way I would approach the problem is to have a "create", "read" and
"delete" permissions. When accessing a context of type B, it would then
supply an __acl__ which is dynamically generated based on its origins. For
example:
@property
def __acl__(self):
return [
(Allow, 'editor', ('read', 'update')),
(Allow, 'origin:' + self.origin, 'delete'),
]
With this, the object of type B has told us "who" is allowed to delete it.
Now when Timothy accesses the system, it would be the responsibility of the
authentication policy via the groupfinder to return a list of principals
for Timothy. For example, Timothy is from france, so you would add the
'origin:france' principal, and he is an editor so you would add the
'editor' principal. Now when the auth system compares B's acl to timothy's
principals, he will only have the delete permission if one of his
principals matches up with one of the ACE's providing delete.
> Another example would be something like:
>
> An agent of a company can make orders. However, he should only be
> able to select the products (this means read permission right?) from
> his country. If he is an agent of France, he can only make orders of
> products that are only for France, not those in Germany or Holland.
> How would the ACL for this work....?
>
Again, look at it from the perspective of the context (the object of
interest). That object (the product) should provide an ACL that tells the
auth system what principals are allowed to use it. For example the product
returns (Allow, 'agent_of_'+self.origin, 'read') where self is a product.
The auth system then compares these acls with the principals returned by
the authentication policy.
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
