I a standard Turbogears 2 project Users can be member of Groups which
grant certain Permissions.
However, I try to configure the tg2 app using a who.ini file, allowing
LDAP users to login as well as the standard users.
I am working on the repoze.who.plugins.ldap plugin.
This works fine so far, but the local users do no longer have the group
and permission metadata set.

in my who.ini file I have:

use = repoze.who.plugins.sa:make_sa_user_mdprovider
user_class = prjmodel:User
dbsession = prj.model:DBSession

plugins =

This mdprovider only sets a few attributes from the User table, since it
doesn't know about the
group and permission table.

In contrast the tg2 application config:

# Configure the authentication backend
base_config.auth_backend = 'sqlalchemy'
base_config.sa_auth.dbsession = model.DBSession
# what is the class you want to use to search for users in the database
base_config.sa_auth.user_class = model.User
# what is the class you want to use to search for groups in the database
base_config.sa_auth.group_class = model.Group
# what is the class you want to use to search for permissions in the
base_config.sa_auth.permission_class = model.Permission

Is there a way to configure the 'sqlalchemy' backend from tg2 in the
who.ini ?

I don't really understand how tg2 initializes the repoze stuff and how
this can
be overridden by the who.ini file.

As a final result, I should be able to grant Permissions to LDAP groups
in my application.
As the tg_group_permissions table in the database is not doing type or
consistency checking,
I could easily put LDAP groups in there. This would of course not me
manageable by the catwalk
engine, but by the management frontend of my app.

Since this will be IMHO a common usage of LDAP Authentication in tg2 and
maybe other
frameworks using repoze, this should maybe be implemented in the
repoze.who.plugins.ldap ?

What are your insights on this ?



Repoze-dev mailing list

Reply via email to