Hi Chris.

I have been rereading the ACL's for repoze.bfg and am having trouble
getting my head bits of it.

I could easily use repoze.bfg for this project, though I really don't
need all of bfg in this instance,so was
seeing if I could get by with just bobo and repoze.what (oh and I was
hoping to leverage of the openid
and various other authent plugins for repoze.who).

But ignoring authentication for the moment.

Can you give me hint on the approach I would take becuase in my example
If I wanted an ACL on the persistent model as per my original it would
be declared something like the following.

(I am ignoring creation for the moment.) The goal is only the owner of
a particular entity
or a user with the site_manager role can edit it.  And I won't know
someone is owner until I have the
object. I assuming you would have a sort of transient group "owner"
and someone would only be
in it if they are the owner ?

The I could declare the owner permssion etc,.. as follows

from repoze.bfg.security import Allow

 __acl__ = [
        (Allow, Everyone, 'view'),
        (Allow, 'group:owner', 'edit'),
        (Allow, 'group:site_managers', 'edit'),

The bit I can't work out is how I would determine of the user is
"Owner" of the content.
Would that be through a custom AuthorizationPolicy or a Authentication Policy.

Or am I thinking about this the wrong way around ?

In zope2 a principal would have a number of potential roles dependant
on the context.  So I am trying to get that style of behaviour.


On Tue, Feb 16, 2010 at 1:27 AM, Chris McDonough <chr...@plope.com> wrote:
> I don't know if things have changed, but the last time I talked to Gustavo, 
> this was an intrinsic limitation in repoze.what v1.  It doesn't handle 
> context-sensitive authorization.
> - C
> On 2/15/10 10:19 AM, Tim Hoffman wrote:
>> Hi
>> I am trying to work out how I could protect a specific resource/entity
>> using repoze.what.
>> For instance I have a specific "Record", owned by a specific "User", and
>> only a user with the "Owner" permission can "Edit" the record.
>> I can't work out how you would assign "Owner" permission to the user only 
>> when
>> accessing "Record".  i.e the user in question would not be owner of
>> any other record.
>> It seems the group source and permission source act on a global basis
>> and aren't context aware.  And predicates check_authorization() calls
>> only take a environ
>> and therefore you can only protect things like URL's not entities.
>> Am I trying to do something not possible/intended for repoze.what.
>> I suppose I am looking for functionality similiar to zope2
>> permissions/roles etc...
>> T
>> _______________________________________________
>> Repoze-dev mailing list
>> Repoze-dev@lists.repoze.org
>> http://lists.repoze.org/listinfo/repoze-dev
> --
> Chris McDonough
> Agendaless Consulting, Fredericksburg VA
> The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book
Repoze-dev mailing list

Reply via email to