Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.

Mon, 15 Feb 2010 14:37:10 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim Hoffman wrote:
> Hi Chris.
>
> I have been rereading the ACL's for repoze.bfg and am having trouble
> getting my head bits of it.
>
> I could easily use repoze.bfg for this project, though I really don't
> need all of bfg in this instance,so was
> seeing if I could get by with just bobo and repoze.what (oh and I was
> hoping to leverage of the openid
> and various other authent plugins for repoze.who).
>
> But ignoring authentication for the moment.
>
> Can you give me hint on the approach I would take becuase in my example
> If I wanted an ACL on the persistent model as per my original it would
> be declared something like the following.
>
> (I am ignoring creation for the moment.) The goal is only the owner of
> a particular entity
> or a user with the site_manager role can edit it.  And I won't know
> someone is owner until I have the
> object. I assuming you would have a sort of transient group "owner"
> and someone would only be
> in it if they are the owner ?
>
> The I could declare the owner permssion etc,.. as follows
>
> from repoze.bfg.security import Allow
>
>  __acl__ = [
>         (Allow, Everyone, 'view'),
>         (Allow, 'group:owner', 'edit'),
>         (Allow, 'group:site_managers', 'edit'),
>         ]

Why would the group be called 'owner'?  Group memberships are "global",
not local.  Most likely you wouldn't use a group for the owner[ bits at
all, but just have the ACL name the user's with what in Zope you would
call the "owner[ local role".  E.g.:

 from repoze.bfg.security import Allow

  __acl__ = [
         (Allow, Everyone, 'view'),
         (Allow, 'phred', 'edit'),
         (Allow, 'group:site_managers', 'edit'),
         ]

If more than one user can be the owner ("have the owner local role", in
Z2-speak), then just add an ACE for each blessed user.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkt5zJAACgkQ+gerLs4ltQ6qHACgkpl4kqBNTq4TNxZVGj+rBDWH
aKAAnAmKuVzkfiZi5s6U10nnNZ6WMLUw
=7BtS
-----END PGP SIGNATURE-----
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to