Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hi Chris Yeah , after Tres repose, and thinking further on the abstractions I thinking along simliar lines, sort of collapsing the notion of a role and permission together. Thanks for the input. I am pretty sure this is the path I will take. It seems to play nicer with what I am trying to achieve than repoze.what predicates which seem to not suit context evaluation. I will get my uml - python generator to spit out routes and bfg views and think about how I want to annotate the model to support the acl declerations. Thanks everyone for the input. T On Tue, Feb 16, 2010 at 9:07 PM, Chris McDonough chr...@plope.com wrote: You might choose to not have a special owner principal if you're already generating the __acl__ via a property. Instead, you might just think of owner as a set of permission names, and generate the right ACL. For instance, if you store a set of owner names as the owners attribute of a model (when the model is created or modified): model.owners ['tim', 'chris'] And you have, somewhere in your code, something like the following: OWNER_PERMISSIONS = ('read', 'write', 'delete') Something like this can be done in your __acl__ property: acl = [] for owner in self.owners: acl.append((Allow, owner, OWNER_PERMISSIONS)) ... other mutations to the acl ... return acl Then if you need to show the owners in the UI, use model.owners, and don't try to imply any ownership info from the ACL itself. On 2/15/10 6:52 PM, Tim Hoffman wrote: Hi I could at the very least evaluate the Owner special principal into the real owner, when I provide the __acl__ registration via the property accessor Most of the project is defined in a uml model and the code is being generated. So declaring the permissions where possible in the model means I need to use abstractions representing things like Owner in the model T On Tue, Feb 16, 2010 at 7:49 AM, Tim Hoffmanzutes...@gmail.com wrote: HI Tres The last thing I would love to be able to do would be to declare the permissions at the class level as in (Allow, Owner, edit) And have a Owner a special principal like Everyone, that allows me to declare the permission. But only evaluates owner when the permission is checked Do you think that could work, I haven't worked out how I could implement that though. T On Tue, Feb 16, 2010 at 7:24 AM, Tres Seavertsea...@palladion.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Hoffman wrote: I was hoping to declare the local role equivalent at the class level, but following from what you said I have a class declaration for site_manager and persist a user/owner declaration on the object at creation time ? Then when I retrieve the entity from the app engine datastore have a __acl__ property accessor which then merges the class declaration with the persisted addition definition of ower. Does that sound like an appropriate approach? That sounds like it would work, yes. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Design http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h =ruoG -END PGP SIGNATURE- ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Chris McDonough Agendaless Consulting, Fredericksburg VA The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
On 2/16/10 8:46 AM, Tim Hoffman wrote: Hi Chris Yeah , after Tres repose, and thinking further on the abstractions I thinking along simliar lines, sort of collapsing the notion of a role and permission together. Even in Zope, roles are effectively just collections of permissions. If it helps to think of it this way, you could consider the permissions you assign to owner a role, e.g.: OWNER_ROLE = ('read', 'edit', 'delete') Thanks for the input. I am pretty sure this is the path I will take. Hope it works out! It seems to play nicer with what I am trying to achieve than repoze.what predicates which seem to not suit context evaluation. I will get my uml - python generator to spit out routes and bfg views and think about how I want to annotate the model to support the acl declerations. Thanks everyone for the input. T On Tue, Feb 16, 2010 at 9:07 PM, Chris McDonoughchr...@plope.com wrote: You might choose to not have a special owner principal if you're already generating the __acl__ via a property. Instead, you might just think of owner as a set of permission names, and generate the right ACL. For instance, if you store a set of owner names as the owners attribute of a model (when the model is created or modified): model.owners ['tim', 'chris'] And you have, somewhere in your code, something like the following: OWNER_PERMISSIONS = ('read', 'write', 'delete') Something like this can be done in your __acl__ property: acl = [] for owner in self.owners: acl.append((Allow, owner, OWNER_PERMISSIONS)) ... other mutations to the acl ... return acl Then if you need to show the owners in the UI, use model.owners, and don't try to imply any ownership info from the ACL itself. On 2/15/10 6:52 PM, Tim Hoffman wrote: Hi I could at the very least evaluate the Owner special principal into the real owner, when I provide the __acl__ registration via the property accessor Most of the project is defined in a uml model and the code is being generated. So declaring the permissions where possible in the model means I need to use abstractions representing things like Owner in the model T On Tue, Feb 16, 2010 at 7:49 AM, Tim Hoffmanzutes...@gmail.comwrote: HI Tres The last thing I would love to be able to do would be to declare the permissions at the class level as in (Allow, Owner, edit) And have a Owner a special principal like Everyone, that allows me to declare the permission. But only evaluates owner when the permission is checked Do you think that could work, I haven't worked out how I could implement that though. T On Tue, Feb 16, 2010 at 7:24 AM, Tres Seavertsea...@palladion.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Hoffman wrote: I was hoping to declare the local role equivalent at the class level, but following from what you said I have a class declaration for site_manager and persist a user/owner declaration on the object at creation time ? Then when I retrieve the entity from the app engine datastore have a __acl__ property accessor which then merges the class declaration with the persisted addition definition of ower. Does that sound like an appropriate approach? That sounds like it would work, yes. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h =ruoG -END PGP SIGNATURE- ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Chris McDonough Agendaless Consulting, Fredericksburg VA The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book -- Chris McDonough Agendaless Consulting, Fredericksburg VA The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hi I am trying to work out how I could protect a specific resource/entity using repoze.what. For instance I have a specific Record, owned by a specific User, and only a user with the Owner permission can Edit the record. I can't work out how you would assign Owner permission to the user only when accessing Record. i.e the user in question would not be owner of any other record. It seems the group source and permission source act on a global basis and aren't context aware. And predicates check_authorization() calls only take a environ and therefore you can only protect things like URL's not entities. Am I trying to do something not possible/intended for repoze.what. I suppose I am looking for functionality similiar to zope2 permissions/roles etc... T ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
I don't know if things have changed, but the last time I talked to Gustavo, this was an intrinsic limitation in repoze.what v1. It doesn't handle context-sensitive authorization. - C On 2/15/10 10:19 AM, Tim Hoffman wrote: Hi I am trying to work out how I could protect a specific resource/entity using repoze.what. For instance I have a specific Record, owned by a specific User, and only a user with the Owner permission can Edit the record. I can't work out how you would assign Owner permission to the user only when accessing Record. i.e the user in question would not be owner of any other record. It seems the group source and permission source act on a global basis and aren't context aware. And predicates check_authorization() calls only take a environ and therefore you can only protect things like URL's not entities. Am I trying to do something not possible/intended for repoze.what. I suppose I am looking for functionality similiar to zope2 permissions/roles etc... T ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Chris McDonough Agendaless Consulting, Fredericksburg VA The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hello, Tim. The groups/permissions functionality is just something basic and optional, to help people get started, although for some smaller projects it may be good enough. For finer-grained control, you may want to check this: http://what.repoze.org/docs/1.0/Manual/Predicates/Writing.html#creating-a-predicate-checker-more-sensitive-to-the-request I've never really wanted to offer a similar functionality out-of-the-box. I've given some thought to this, and never came up with non-intrusive way of addressing this kind of situations. But I'm always open to hear alternatives. I hope this is what you were looking for. - Gustavo. On 15/02/10 15:19, Tim Hoffman wrote: Hi I am trying to work out how I could protect a specific resource/entity using repoze.what. For instance I have a specific Record, owned by a specific User, and only a user with the Owner permission can Edit the record. I can't work out how you would assign Owner permission to the user only when accessing Record. i.e the user in question would not be owner of any other record. It seems the group source and permission source act on a global basis and aren't context aware. And predicates check_authorization() calls only take a environ and therefore you can only protect things like URL's not entities. Am I trying to do something not possible/intended for repoze.what. I suppose I am looking for functionality similiar to zope2 permissions/roles etc... T ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea xri://=Gustavo. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hi Gustavo Yeah I have thought about writing custom Predicates. The main problem I saw with it was it appears I would have to pass in the object to be checked at predicate instantiation time, rather than at evaluation time. evaluate only takes environ and credentials. Which means I would have to somehow stuff the entity into the wsgi environ or I would be retrieving the object a second time inside the evaluate predicate, when I already have it. And that would seem expensive (I am running on App Engine). So using your example from the docs. It would look something like. from repoze.what.predicates import Predicate class is_author(Predicate): message = 'Only %(author)s can manage post %(post_id)s' def __init__(self,context,**kwargs): super(is_author,self).__init__(kwargs) self.context = context def evaluate(self, environ, credentials): if self.context.author != credentials.get('repoze.what.userid'): self.unmet(post_id=post_id, author=post.author_userid) And then # Can the user edit the post? (must be site manager or owner) from repoze.what.predicates import Any, has_permission p = Any(has_permission('site_manager'),is_author(context)) T On Tue, Feb 16, 2010 at 5:41 AM, Gustavo Narea m...@gustavonarea.net wrote: Hello, Tim. The groups/permissions functionality is just something basic and optional, to help people get started, although for some smaller projects it may be good enough. For finer-grained control, you may want to check this: http://what.repoze.org/docs/1.0/Manual/Predicates/Writing.html#creating-a-predicate-checker-more-sensitive-to-the-request I've never really wanted to offer a similar functionality out-of-the-box. I've given some thought to this, and never came up with non-intrusive way of addressing this kind of situations. But I'm always open to hear alternatives. I hope this is what you were looking for. - Gustavo. On 15/02/10 15:19, Tim Hoffman wrote: Hi I am trying to work out how I could protect a specific resource/entity using repoze.what. For instance I have a specific Record, owned by a specific User, and only a user with the Owner permission can Edit the record. I can't work out how you would assign Owner permission to the user only when accessing Record. i.e the user in question would not be owner of any other record. It seems the group source and permission source act on a global basis and aren't context aware. And predicates check_authorization() calls only take a environ and therefore you can only protect things like URL's not entities. Am I trying to do something not possible/intended for repoze.what. I suppose I am looking for functionality similiar to zope2 permissions/roles etc... T ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea xri://=Gustavo. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hi Chris. I have been rereading the ACL's for repoze.bfg and am having trouble getting my head bits of it. I could easily use repoze.bfg for this project, though I really don't need all of bfg in this instance,so was seeing if I could get by with just bobo and repoze.what (oh and I was hoping to leverage of the openid and various other authent plugins for repoze.who). But ignoring authentication for the moment. Can you give me hint on the approach I would take becuase in my example If I wanted an ACL on the persistent model as per my original it would be declared something like the following. (I am ignoring creation for the moment.) The goal is only the owner of a particular entity or a user with the site_manager role can edit it. And I won't know someone is owner until I have the object. I assuming you would have a sort of transient group owner and someone would only be in it if they are the owner ? The I could declare the owner permssion etc,.. as follows from repoze.bfg.security import Allow __acl__ = [ (Allow, Everyone, 'view'), (Allow, 'group:owner', 'edit'), (Allow, 'group:site_managers', 'edit'), ] The bit I can't work out is how I would determine of the user is Owner of the content. Would that be through a custom AuthorizationPolicy or a Authentication Policy. Or am I thinking about this the wrong way around ? In zope2 a principal would have a number of potential roles dependant on the context. So I am trying to get that style of behaviour. T On Tue, Feb 16, 2010 at 1:27 AM, Chris McDonough chr...@plope.com wrote: I don't know if things have changed, but the last time I talked to Gustavo, this was an intrinsic limitation in repoze.what v1. It doesn't handle context-sensitive authorization. - C On 2/15/10 10:19 AM, Tim Hoffman wrote: Hi I am trying to work out how I could protect a specific resource/entity using repoze.what. For instance I have a specific Record, owned by a specific User, and only a user with the Owner permission can Edit the record. I can't work out how you would assign Owner permission to the user only when accessing Record. i.e the user in question would not be owner of any other record. It seems the group source and permission source act on a global basis and aren't context aware. And predicates check_authorization() calls only take a environ and therefore you can only protect things like URL's not entities. Am I trying to do something not possible/intended for repoze.what. I suppose I am looking for functionality similiar to zope2 permissions/roles etc... T ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Chris McDonough Agendaless Consulting, Fredericksburg VA The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Hoffman wrote: Hi Chris. I have been rereading the ACL's for repoze.bfg and am having trouble getting my head bits of it. I could easily use repoze.bfg for this project, though I really don't need all of bfg in this instance,so was seeing if I could get by with just bobo and repoze.what (oh and I was hoping to leverage of the openid and various other authent plugins for repoze.who). But ignoring authentication for the moment. Can you give me hint on the approach I would take becuase in my example If I wanted an ACL on the persistent model as per my original it would be declared something like the following. (I am ignoring creation for the moment.) The goal is only the owner of a particular entity or a user with the site_manager role can edit it. And I won't know someone is owner until I have the object. I assuming you would have a sort of transient group owner and someone would only be in it if they are the owner ? The I could declare the owner permssion etc,.. as follows from repoze.bfg.security import Allow __acl__ = [ (Allow, Everyone, 'view'), (Allow, 'group:owner', 'edit'), (Allow, 'group:site_managers', 'edit'), ] Why would the group be called 'owner'? Group memberships are global, not local. Most likely you wouldn't use a group for the owner[ bits at all, but just have the ACL name the user's with what in Zope you would call the owner[ local role. E.g.: from repoze.bfg.security import Allow __acl__ = [ (Allow, Everyone, 'view'), (Allow, 'phred', 'edit'), (Allow, 'group:site_managers', 'edit'), ] If more than one user can be the owner (have the owner local role, in Z2-speak), then just add an ACE for each blessed user. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkt5zJAACgkQ+gerLs4ltQ6qHACgkpl4kqBNTq4TNxZVGj+rBDWH aKAAnAmKuVzkfiZi5s6U10nnNZ6WMLUw =7BtS -END PGP SIGNATURE- ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hello, Tim. On 15/02/10 22:06, Tim Hoffman wrote: Hi Gustavo Yeah I have thought about writing custom Predicates. The main problem I saw with it was it appears I would have to pass in the object to be checked at predicate instantiation time, rather than at evaluation time. evaluate only takes environ and credentials. Which means I would have to somehow stuff the entity into the wsgi environ or I would be retrieving the object a second time inside the evaluate predicate, when I already have it. And that would seem expensive (I am running on App Engine). So using your example from the docs. It would look something like. from repoze.what.predicates import Predicate class is_author(Predicate): message = 'Only %(author)s can manage post %(post_id)s' def __init__(self,context,**kwargs): super(is_author,self).__init__(kwargs) self.context = context def evaluate(self, environ, credentials): if self.context.author != credentials.get('repoze.what.userid'): self.unmet(post_id=post_id, author=post.author_userid) I use the wsgiorg.routing_args variable (environ['wsgiorg.routing_args']) to store the objects for the resource in the URL, like this: class BasePostPredicate(Predicate): def _get_blog_post(self, environ): if post not in environ['wsgiorg.routing_args'][1]: post_id = environ['wsgiorg.routing_args'][1]['post_id'] environ['wsgiorg.routing_args'][1]['post'] = gimme_the_post(post_id) return environ['wsgiorg.routing_args'][1]['post'] class IsAuthor(BasePostPredicate): def evaluate(self, environ, credentials): post = self._get_blog_post(environ) if post.author != credentials.get('repoze.what.userid'): self.unmet('Only %(author)s can manage post %(post_id)s', author=post.author, post_id=post.id) class IsEditor(BasePostPredicate): def evaluate(self, environ, credentials): post = self._get_blog_post(environ) if credentials.get('repoze.what.userid') not in post.editors: self.unmet('Only editors can manage post %(post_id)s', post_id=post.id) BasePostPredicate looks ugly because of the environ dict. Starting with v1.1, we're going to use the pythonic WebOb request objects and thus it will look like this: class BasePostPredicate(Predicate): def _get_blog_post(self, request): if post not in request.urlvars: request.urlvars['post'] = gimme_the_post(request.urlvars['post_id']) return request.urlvars['post'] And then # Can the user edit the post? (must be site manager or owner) from repoze.what.predicates import Any, has_permission p = Any(has_permission('site_manager'),is_author(context)) Right. But with the predicate above, you wouldn't pass the context: p = Any(has_permission('site_manager'),IsAuthor()) HTH, - Gustavo. On Tue, Feb 16, 2010 at 5:41 AM, Gustavo Narea m...@gustavonarea.net mailto:m...@gustavonarea.net wrote: Hello, Tim. The groups/permissions functionality is just something basic and optional, to help people get started, although for some smaller projects it may be good enough. For finer-grained control, you may want to check this: http://what.repoze.org/docs/1.0/Manual/Predicates/Writing.html#creating-a-predicate-checker-more-sensitive-to-the-request I've never really wanted to offer a similar functionality out-of-the-box. I've given some thought to this, and never came up with non-intrusive way of addressing this kind of situations. But I'm always open to hear alternatives. I hope this is what you were looking for. - Gustavo. On 15/02/10 15:19, Tim Hoffman wrote: Hi I am trying to work out how I could protect a specific resource/entity using repoze.what. For instance I have a specific Record, owned by a specific User, and only a user with the Owner permission can Edit the record. I can't work out how you would assign Owner permission to the user only when accessing Record. i.e the user in question would not be owner of any other record. It seems the group source and permission source act on a global basis and aren't context aware. And predicates check_authorization() calls only take a environ and therefore you can only protect things like URL's not entities. Am I trying to do something not possible/intended for repoze.what. I suppose I am looking for functionality similiar to zope2 permissions/roles etc... T ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org mailto:Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea xri://=Gustavo. -- Gustavo Narea xri://=Gustavo. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Hoffman wrote: I was hoping to declare the local role equivalent at the class level, but following from what you said I have a class declaration for site_manager and persist a user/owner declaration on the object at creation time ? Then when I retrieve the entity from the app engine datastore have a __acl__ property accessor which then merges the class declaration with the persisted addition definition of ower. Does that sound like an appropriate approach? That sounds like it would work, yes. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h =ruoG -END PGP SIGNATURE- ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
HI Tres The last thing I would love to be able to do would be to declare the permissions at the class level as in (Allow, Owner, edit) And have a Owner a special principal like Everyone, that allows me to declare the permission. But only evaluates owner when the permission is checked Do you think that could work, I haven't worked out how I could implement that though. T On Tue, Feb 16, 2010 at 7:24 AM, Tres Seaver tsea...@palladion.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Hoffman wrote: I was hoping to declare the local role equivalent at the class level, but following from what you said I have a class declaration for site_manager and persist a user/owner declaration on the object at creation time ? Then when I retrieve the entity from the app engine datastore have a __acl__ property accessor which then merges the class declaration with the persisted addition definition of ower. Does that sound like an appropriate approach? That sounds like it would work, yes. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Design http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h =ruoG -END PGP SIGNATURE- ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hi I could at the very least evaluate the Owner special principal into the real owner, when I provide the __acl__ registration via the property accessor Most of the project is defined in a uml model and the code is being generated. So declaring the permissions where possible in the model means I need to use abstractions representing things like Owner in the model T On Tue, Feb 16, 2010 at 7:49 AM, Tim Hoffman zutes...@gmail.com wrote: HI Tres The last thing I would love to be able to do would be to declare the permissions at the class level as in (Allow, Owner, edit) And have a Owner a special principal like Everyone, that allows me to declare the permission. But only evaluates owner when the permission is checked Do you think that could work, I haven't worked out how I could implement that though. T On Tue, Feb 16, 2010 at 7:24 AM, Tres Seaver tsea...@palladion.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Hoffman wrote: I was hoping to declare the local role equivalent at the class level, but following from what you said I have a class declaration for site_manager and persist a user/owner declaration on the object at creation time ? Then when I retrieve the entity from the app engine datastore have a __acl__ property accessor which then merges the class declaration with the persisted addition definition of ower. Does that sound like an appropriate approach? That sounds like it would work, yes. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Design http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkt516wACgkQ+gerLs4ltQ4I6ACfaqLKXOodUYv8GroTYAPN3TwL izQAnA1Y6ojjgLB/LgpHpTFU08LoRI0h =ruoG -END PGP SIGNATURE- ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev