Hi, Christoph.
On Wednesday February 4, 2009 16:40:45 Christoph Zwerschke wrote:
> Gustavo Narea schrieb:
> > With systems like Catwalk in mind, which may provide information about
> > how the auth system is working, I've created a couple of functions which
> > return the current groups and permissions, respectively, in repoze.what
> > v2 (but it's one of the things I'll backport to v1).
> >
> > Groups and permission are going to evolve. They won't be as simple as
> > "zero or more users belong to a group" and "zero or more groups are
> > granted a permission" forever. Among other things, they'll become
> > hierarchized (e.g., "group A is the parent of group B, so anyone who
> > belongs to B also belongs to A"). So, those tuple of strings at
> > credentials['groups'] and
> > credentials['permissions'] will disappear as things turn more complex
> > internally -- that is why the credentials dictionary won't be part of the
> > API.
>
> That's good, but one problem I'm seeing here is that groups and
> permissions are often not only used to restrict views in templates or
> restrict access to controllers, but also very tightly coupled with the
> application logic through the data model. For instance, I have data
> records with groups or permissions as foreign keys and queries which
> filter using these values.
Sorry, I didn't get that part. I don't understand what the problem is.
> I.e. TG apps rely on a certain structure of
> users, groups and permissions anyway.
No, they don't. You can rearrange _everything_ as you want, as long as you let
repoze.what know where to find the groups and permissions -- it's not even
necessary to let TG2 know about it, since that has nothing to do with TG.
> >> tg.acess takes any of the standard predicates as attribute and evaluates
> >> that predicate immediately. We could also provide a mechanism to include
> >> custom predicates in tg.access. This is of course a hack for TurboGears
> >> only, I don't say it should be somehow included in repoze.what.
> >> Something like that would just help to keep simple things simple in TG.
> >
> > I'm +0.5 on that, and I wouldn't mind implementing it if we raise this on
> > a new thread and people agree. ;-)
>
> As an alternative, we could propose the request aware evaluation of
> predicates with bool() suggested in my other posting and then set
> tg.access = repoze.what.predicates.
>
> This would allow the same usage: tg.access.has_permission('edit').
>
> I'll wait a while and if there are no better ideas, I'll create a new
> thread asking for feedback regarding these two ideas then.
I'd prefer the previous suggestion.
This one seems ugly from my point of view, and it's forward incompatible too:
In repoze.what v2, the groups/permissions-based pattern will be yet another
authorization pattern. And all those patterns will be kept in
repoze.what.patterns.*.
Cheers.
--
Gustavo Narea <http://gustavonarea.net/>.
Get rid of unethical constraints! Get freedomware:
http://www.getgnulinux.org/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Trunk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-trunk?hl=en
-~----------~----~----~----~------~----~------~--~---
