Hi Tres

I was hoping to declare the local role equivalent at the class level,
but following from what you said

I have a class declaration for "site_manager" and persist
a user/owner declaration on the object at creation time ?

Then when I retrieve the entity from the app engine datastore
have a __acl__ property accessor which
then merges the class declaration with the persisted addition
definition of ower.

Does that sound like an appropriate approach?


On Tue, Feb 16, 2010 at 6:36 AM, Tres Seaver <tsea...@palladion.com> wrote:
> Hash: SHA1
> Tim Hoffman wrote:
>> Hi Chris.
>> I have been rereading the ACL's for repoze.bfg and am having trouble
>> getting my head bits of it.
>> I could easily use repoze.bfg for this project, though I really don't
>> need all of bfg in this instance,so was
>> seeing if I could get by with just bobo and repoze.what (oh and I was
>> hoping to leverage of the openid
>> and various other authent plugins for repoze.who).
>> But ignoring authentication for the moment.
>> Can you give me hint on the approach I would take becuase in my example
>> If I wanted an ACL on the persistent model as per my original it would
>> be declared something like the following.
>> (I am ignoring creation for the moment.) The goal is only the owner of
>> a particular entity
>> or a user with the site_manager role can edit it.  And I won't know
>> someone is owner until I have the
>> object. I assuming you would have a sort of transient group "owner"
>> and someone would only be
>> in it if they are the owner ?
>> The I could declare the owner permssion etc,.. as follows
>> from repoze.bfg.security import Allow
>>  __acl__ = [
>>         (Allow, Everyone, 'view'),
>>         (Allow, 'group:owner', 'edit'),
>>         (Allow, 'group:site_managers', 'edit'),
>>         ]
> Why would the group be called 'owner'?  Group memberships are "global",
> not local.  Most likely you wouldn't use a group for the owner[ bits at
> all, but just have the ACL name the user's with what in Zope you would
> call the "owner[ local role".  E.g.:
>  from repoze.bfg.security import Allow
>  __acl__ = [
>         (Allow, Everyone, 'view'),
>         (Allow, 'phred', 'edit'),
>         (Allow, 'group:site_managers', 'edit'),
>         ]
> If more than one user can be the owner ("have the owner local role", in
> Z2-speak), then just add an ACE for each blessed user.
> Tres.
> - --
> ===================================================================
> Tres Seaver          +1 540-429-0999          tsea...@palladion.com
> Palladion Software   "Excellence by Design"    http://palladion.com
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iEYEARECAAYFAkt5zGkACgkQ+gerLs4ltQ6E/gCfQfbCZ7we/3KkPgCGF4i+KdoG
> fLAAnRgIqwP0RziwGloFLfeVv3DlpIaK
> =0sko
Repoze-dev mailing list

Reply via email to