Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hi Chris
Yeah , after Tres repose, and thinking further on the abstractions I
thinking along simliar lines, sort of collapsing the notion of a role
and permission together.
Thanks for the input. I am pretty sure this is the path I will take.
It seems to play nicer with what I am trying to achieve than
repoze.what predicates which seem to not suit context evaluation.
I will get my uml - python generator to spit out routes and bfg views
and think about how I want to annotate the model
to support the acl declerations.
Thanks everyone for the input.
T
On Tue, Feb 16, 2010 at 9:07 PM, Chris McDonough chr...@plope.com wrote:
You might choose to not have a special owner principal if you're already
generating the __acl__ via a property. Instead, you might just think of
owner as a set of permission names, and generate the right ACL.
For instance, if you store a set of owner names as the owners attribute of
a model (when the model is created or modified):
model.owners
['tim', 'chris']
And you have, somewhere in your code, something like the following:
OWNER_PERMISSIONS = ('read', 'write', 'delete')
Something like this can be done in your __acl__ property:
acl = []
for owner in self.owners:
acl.append((Allow, owner, OWNER_PERMISSIONS))
... other mutations to the acl ...
return acl
Then if you need to show the owners in the UI, use model.owners, and don't
try to imply any ownership info from the ACL itself.
On 2/15/10 6:52 PM, Tim Hoffman wrote:
Hi
I could at the very least evaluate the Owner special principal
into the real owner, when I provide the __acl__ registration via the
property accessor
Most of the project is defined in a uml model and the code is being
generated. So
declaring the permissions where possible in the model means I need to use
abstractions representing things like Owner in the model
T
On Tue, Feb 16, 2010 at 7:49 AM, Tim Hoffmanzutes...@gmail.com wrote:
HI Tres
The last thing I would love to be able to do would be to declare the
permissions
at the class level
as in
(Allow, Owner, edit)
And have a Owner a special principal like Everyone,
that allows me to declare the permission. But only evaluates owner
when the permission is checked
Do you think that could work, I haven't worked out how I could
implement that though.
T
On Tue, Feb 16, 2010 at 7:24 AM, Tres Seavertsea...@palladion.com
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tim Hoffman wrote:
I was hoping to declare the local role equivalent at the class level,
but following from what you said
I have a class declaration for site_manager and persist
a user/owner declaration on the object at creation time ?
Then when I retrieve the entity from the app engine datastore
have a __acl__ property accessor which
then merges the class declaration with the persisted addition
definition of ower.
Does that sound like an appropriate approach?
That sounds like it would work, yes.
Tres.
- --
===
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software Excellence by Design http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL
izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h
=ruoG
-END PGP SIGNATURE-
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
--
Chris McDonough
Agendaless Consulting, Fredericksburg VA
The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
On 2/16/10 8:46 AM, Tim Hoffman wrote:
Hi Chris
Yeah , after Tres repose, and thinking further on the abstractions I
thinking along simliar lines, sort of collapsing the notion of a role
and permission together.
Even in Zope, roles are effectively just collections of permissions. If it
helps to think of it this way, you could consider the permissions you assign to
owner a role, e.g.:
OWNER_ROLE = ('read', 'edit', 'delete')
Thanks for the input. I am pretty sure this is the path I will take.
Hope it works out!
It seems to play nicer with what I am trying to achieve than
repoze.what predicates which seem to not suit context evaluation.
I will get my uml - python generator to spit out routes and bfg views
and think about how I want to annotate the model
to support the acl declerations.
Thanks everyone for the input.
T
On Tue, Feb 16, 2010 at 9:07 PM, Chris McDonoughchr...@plope.com wrote:
You might choose to not have a special owner principal if you're already
generating the __acl__ via a property. Instead, you might just think of
owner as a set of permission names, and generate the right ACL.
For instance, if you store a set of owner names as the owners attribute of
a model (when the model is created or modified):
model.owners
['tim', 'chris']
And you have, somewhere in your code, something like the following:
OWNER_PERMISSIONS = ('read', 'write', 'delete')
Something like this can be done in your __acl__ property:
acl = []
for owner in self.owners:
acl.append((Allow, owner, OWNER_PERMISSIONS))
... other mutations to the acl ...
return acl
Then if you need to show the owners in the UI, use model.owners, and don't
try to imply any ownership info from the ACL itself.
On 2/15/10 6:52 PM, Tim Hoffman wrote:
Hi
I could at the very least evaluate the Owner special principal
into the real owner, when I provide the __acl__ registration via the
property accessor
Most of the project is defined in a uml model and the code is being
generated. So
declaring the permissions where possible in the model means I need to use
abstractions representing things like Owner in the model
T
On Tue, Feb 16, 2010 at 7:49 AM, Tim Hoffmanzutes...@gmail.comwrote:
HI Tres
The last thing I would love to be able to do would be to declare the
permissions
at the class level
as in
(Allow, Owner, edit)
And have a Owner a special principal like Everyone,
that allows me to declare the permission. But only evaluates owner
when the permission is checked
Do you think that could work, I haven't worked out how I could
implement that though.
T
On Tue, Feb 16, 2010 at 7:24 AM, Tres Seavertsea...@palladion.com
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tim Hoffman wrote:
I was hoping to declare the local role equivalent at the class level,
but following from what you said
I have a class declaration for site_manager and persist
a user/owner declaration on the object at creation time ?
Then when I retrieve the entity from the app engine datastore
have a __acl__ property accessor which
then merges the class declaration with the persisted addition
definition of ower.
Does that sound like an appropriate approach?
That sounds like it would work, yes.
Tres.
- --
===
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software Excellence by Designhttp://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL
izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h
=ruoG
-END PGP SIGNATURE-
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
--
Chris McDonough
Agendaless Consulting, Fredericksburg VA
The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book
--
Chris McDonough
Agendaless Consulting, Fredericksburg VA
The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
