You might choose to not have a special owner principal if you're already 
generating the __acl__ via a property.  Instead, you might just think of 
"owner" as a set of permission names, and generate "the right" ACL.

For instance, if you store a set of owner names as the "owners" attribute of a 
model (when the model is created or modified):

    >>> model.owners
    ['tim', 'chris']

And you have, somewhere in your code, something like the following:

    OWNER_PERMISSIONS = ('read', 'write', 'delete')

Something like this can be done in your __acl__ property:

    acl = []
    for owner in self.owners:
        acl.append((Allow, owner, OWNER_PERMISSIONS))
    ... other mutations to the acl ...
    return acl

Then if you need to show the owners in the UI, use model.owners, and don't try 
to imply any ownership info from the ACL itself.

On 2/15/10 6:52 PM, Tim Hoffman wrote:
> Hi
> I could at the very least evaluate the Owner special principal
> into the real owner, when I provide the __acl__ registration via the
> property accessor
> Most of the project is defined in a uml model and the code is being
> generated. So
> declaring the permissions where possible in the model means I need to use
> abstractions representing things like Owner in the model
> T
> On Tue, Feb 16, 2010 at 7:49 AM, Tim Hoffman<>  wrote:
>> HI Tres
>> The last thing I would love to be able to do would be to declare the
>> permissions
>> at the class level
>> as in
>> (Allow, Owner, "edit")
>> And have a Owner a special principal like Everyone,
>> that allows me to declare the permission. But only evaluates "owner"
>> when the permission is checked
>> Do you think that could work, I haven't worked out how I could
>> implement that though.
>> T
>> On Tue, Feb 16, 2010 at 7:24 AM, Tres Seaver<>  wrote:
>>> Hash: SHA1
>>> Tim Hoffman wrote:
>>>> I was hoping to declare the local role equivalent at the class level,
>>>> but following from what you said
>>>> I have a class declaration for "site_manager" and persist
>>>> a user/owner declaration on the object at creation time ?
>>>> Then when I retrieve the entity from the app engine datastore
>>>> have a __acl__ property accessor which
>>>> then merges the class declaration with the persisted addition
>>>> definition of ower.
>>>> Does that sound like an appropriate approach?
>>> That sounds like it would work, yes.
>>> Tres.
>>> - --
>>> ===================================================================
>>> Tres Seaver          +1 540-429-0999
>>> Palladion Software   "Excellence by Design"
>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>> Comment: Using GnuPG with Mozilla -
>>> iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL
>>> izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h
>>> =ruoG
>>> -----END PGP SIGNATURE-----
> _______________________________________________
> Repoze-dev mailing list

Chris McDonough
Agendaless Consulting, Fredericksburg VA
The repoze.bfg Web Application Framework Book:
Repoze-dev mailing list

Reply via email to