I'm going through the Identity code because I need to make my own
Provider to hook into a few different systems over here (CAS for
authentication, LDAP for attributes, REST service for groups and
permissions).
I'm trying to fit the concept of group roles into this...
The SOIdentityProvider permissions model appears to work like: being a
member of a group gives a user that group's permissions, along with
whatever other permissions the user has.
I checked out Matt Bevan's example Identity model and it calls
permissions Roles, but has the same permissions structure as
SOIdentityProvider.
A group in my model is like a club or organization, so there aren't
permissions associated with any of these (simply being a member is
enough to deny or grant access to a resource). However, there are roles
for each group: president, treasurer, secretary, etc. So I can't just
check for "has_role('president') and has_group('turbogears club')"
because the user could be the president of another club...
However, there's nothing stopping me from using something other than
strings as permissions, correct? I could use tuples:
"has_role(('president', 'turbogears club'))"
This causes some duplication since now the Indentity group model is
redundant... I could just always check for "has_permission(('member',
'turbogears club')).
The other possibility is to use some string concatenation or something,
like "turbogears club/president" as the permission, but then this makes
it difficult to get all the people who are presidents (I'd have to do
string transformation on every permission, and it wouldn't be indexed
as efficiently).
I'm afraid that rolling my own funky group roles model will lock me out
of using the nice predicates and such provided in identity.conditions.
I'm just throwing this out there to see if anyone wants to toss in
advice or ideas.
--
Brian Beck
Adventurer of the First Order
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Trunk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears-trunk
-~----------~----~----~----~------~----~------~--~---
