I don't know if things have changed, but the last time I talked to Gustavo, 
this was an intrinsic limitation in repoze.what v1.  It doesn't handle 
context-sensitive authorization.

- C


On 2/15/10 10:19 AM, Tim Hoffman wrote:
> Hi
>
> I am trying to work out how I could protect a specific resource/entity
> using repoze.what.
>
> For instance I have a specific "Record", owned by a specific "User", and
> only a user with the "Owner" permission can "Edit" the record.
>
> I can't work out how you would assign "Owner" permission to the user only when
> accessing "Record".  i.e the user in question would not be owner of
> any other record.
>
> It seems the group source and permission source act on a global basis
> and aren't context aware.  And predicates check_authorization() calls
> only take a environ
> and therefore you can only protect things like URL's not entities.
>
> Am I trying to do something not possible/intended for repoze.what.
>
> I suppose I am looking for functionality similiar to zope2
> permissions/roles etc...
>
> T
> _______________________________________________
> Repoze-dev mailing list
> Repoze-dev@lists.repoze.org
> http://lists.repoze.org/listinfo/repoze-dev
>


-- 
Chris McDonough
Agendaless Consulting, Fredericksburg VA
The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to