I don't know if things have changed, but the last time I talked to Gustavo, this was an intrinsic limitation in repoze.what v1. It doesn't handle context-sensitive authorization.
- C On 2/15/10 10:19 AM, Tim Hoffman wrote: > Hi > > I am trying to work out how I could protect a specific resource/entity > using repoze.what. > > For instance I have a specific "Record", owned by a specific "User", and > only a user with the "Owner" permission can "Edit" the record. > > I can't work out how you would assign "Owner" permission to the user only when > accessing "Record". i.e the user in question would not be owner of > any other record. > > It seems the group source and permission source act on a global basis > and aren't context aware. And predicates check_authorization() calls > only take a environ > and therefore you can only protect things like URL's not entities. > > Am I trying to do something not possible/intended for repoze.what. > > I suppose I am looking for functionality similiar to zope2 > permissions/roles etc... > > T > _______________________________________________ > Repoze-dev mailing list > Repoze-dev@lists.repoze.org > http://lists.repoze.org/listinfo/repoze-dev > -- Chris McDonough Agendaless Consulting, Fredericksburg VA The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
