erisian wrote:
Jeff,
Does the API provide for two basic types of role-based protection?
For example:
1) Declarative:
some class:
some method: / requires role("admin")
2) Procedural:
if isInRole('jeff',"admin") then
do something
else
do something else
endif
and possibly:
3) Data Oriented
ie: some mapping onto SQLObject of "isInRole()" to granted
permissions within the database?
Sorry for the pseudo-code. I just woke up...
I implemented this in my own project, I my isInRole looks like this:
class has_tag(identity.Predicate, identity.IdentityPredicateHelper):
'''
Predicate for requiring a user be tagged in some form
will proxy through to user.can(tag, level=level)
'''
error_message= "No permission for: %(tag)s"
def __init__(self, tag, level='WRITE'):
self.tag = tag
self.level = level
def eval_with_object( self, identity, errors=None ):
if identity.user and identity.user.can(self.tag, self.level):
return True
self.append_error_message( errors )
return False
where in the identity User model, there is function that looks like:
def can(self, permission, level='WRITE'):
""" returns if a user has the correct permission """
You will need to replace TG_User and TG_Group with your own classes, and
configure them properly in your dev.cfg so that the identity system will
use your customised classes.
I just added a tag of 'tags' (that's what I called them) and a join
table between tags and groups, from there, I could define any group as
having very fine grained permissions, and any user could participate in
any number of groups.
It's very early for me too, I might write up a comprehensive guide to
this kind of thing on monday.
--
Regards,
Stephen Thorne
Development Engineer
Scanned by the NetBox from NetBox Blue
(http://netboxblue.com/)
