On Wed, Oct 29, 2008 at 11:42 PM, Mark Ramm <[EMAIL PROTECTED]> wrote: > >>> 3. sqlalchemy save certain tables if you have x permissions > > It is completely possible to rebind the SQLAlchemy metadata on each > request so that you actually connect to the database as a specific > user based on the REMOTE_USER that is set by repoze.who. This would > allow you to protect data at the database level, or to redirect > certian classes of users to different back-end databases for load > management. We intentionally designed things to allow this, but we > also intentionally left writing the explicit rules for doing this to > users, as it's not something that 90% of applications ever need. > > But perhaps you're wondering if we tap into SQLAlchemy somewhere > between the controller level and the database level, and if that's the > question no we don't. I don't exactly think we will do that in quite > that way, but I do think it would be interesting and useful to be able > to provide some helpers that make it very easy to write authorization > rules that do "row-level" (really SA object level) authorization > checks in the controller. > > If you have a specific use case in mind, please feel free to raise it > and we'll see how to best fill that need.
The use case would be a authorize sqlalchemy action somewhere between controller and sqlalchemy. The usage would look like: 1. My app would run under one username that connects to database. 2. Multiple users with different permissions are set in identity/authorize/authenticate (not sure what you guys call it now) (the new identity?). 3. If user is a manager he can change table "accounting" but if the users is "clerk" he should not be able to save changes but be able to view. 4. If user system he can change "companymoneytotal", if he is a manager he should be able to view table "companymoneytotals" but should not be able to change it, if user is "clerk" he should not be able to view that table. That is the pretty much it. It seems simple but not sure how one can do that kind of control in tg2/sqlalchemy right now? Lucas --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
