Hash: SHA1

Tim Hoffman wrote:
> Hi Chris.
> I have been rereading the ACL's for repoze.bfg and am having trouble
> getting my head bits of it.
> I could easily use repoze.bfg for this project, though I really don't
> need all of bfg in this instance,so was
> seeing if I could get by with just bobo and repoze.what (oh and I was
> hoping to leverage of the openid
> and various other authent plugins for repoze.who).
> But ignoring authentication for the moment.
> Can you give me hint on the approach I would take becuase in my example
> If I wanted an ACL on the persistent model as per my original it would
> be declared something like the following.
> (I am ignoring creation for the moment.) The goal is only the owner of
> a particular entity
> or a user with the site_manager role can edit it.  And I won't know
> someone is owner until I have the
> object. I assuming you would have a sort of transient group "owner"
> and someone would only be
> in it if they are the owner ?
> The I could declare the owner permssion etc,.. as follows
> from repoze.bfg.security import Allow
>  __acl__ = [
>         (Allow, Everyone, 'view'),
>         (Allow, 'group:owner', 'edit'),
>         (Allow, 'group:site_managers', 'edit'),
>         ]

Why would the group be called 'owner'?  Group memberships are "global",
not local.  Most likely you wouldn't use a group for the owner[ bits at
all, but just have the ACL name the user's with what in Zope you would
call the "owner[ local role".  E.g.:

 from repoze.bfg.security import Allow

  __acl__ = [
         (Allow, Everyone, 'view'),
         (Allow, 'phred', 'edit'),
         (Allow, 'group:site_managers', 'edit'),

If more than one user can be the owner ("have the owner local role", in
Z2-speak), then just add an ACE for each blessed user.

- --
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Repoze-dev mailing list

Reply via email to