Look at my pyramid auth demo on github. It explains how you can use url
dispatch along with a resource tree to do row-level authentication. It
basically boils down to creating a dynamic __acl__ property on your resource
object that will return entries for only users that own your object.
Has anyone implemented an authorization check that can look-up whether the
current user owns the object they are trying to access?
For instance using repoze.what I would have made a custom predicate which
retrieves the objects id from request.matchdict['id'] and looks up if the
current user
I've done it with traversal and didn't need to use repoze.what.
Basically you just derive your __acl__ attribute anyway you wish. The trick
is getting the user associated with the request, but if you are passing in
the request to your root_factory function that shouldn't be too much of a
I am using url dispatch so it's a little different than using the resources,
and I just decided to implement repoze.what because it seems easier than I
initially thought (after figuring out how to add the middleware).
The only thing I am having trouble with is getting the request in my custom
