[TurboGears] Re: TurboGears Role Based Security

[Jeff Watkins]

The Identity API provides #1 and #2 but not #3 because that is *so* application specific. For example, you could have the following class: class MyController(controllers.Controller):    [EMAIL PROTECTED]()    [EMAIL PROTECTED]( in_group( "admin" ) )     def index( self ):         pass    [EMAIL PROTECTED]()     def anotherMethod( self ):         if has_permission( "can-edit" ):             pass The predicates used by the Identity framework function the same whether in a require decorator or as expressions in an if statement. All of this information lives in the database. Specifically the tg_group and tg_permission tables (at least with the default provider and model classes). On 26 Jan, 2006, at 12:45 pm, erisian wrote: Jeff, Does the API provide for two basic types of role-based protection? For example: 1) Declarative: some class:      some method:   / requires role("admin") 2) Procedural:    if isInRole('jeff',"admin") then        do something    else        do something else    endif and possibly: 3) Data Oriented   ie: some mapping onto SQLObject of "isInRole()" to granted permissions within the database? Sorry for the pseudo-code.  I just woke up... Thanks, Jim Burnes (erisian) -- Jeff Watkins http://newburyportion.com/ “In science it often happens that scientists say, ‘You know that’s a really good argument; my position is mistaken,’ and then they actually change their minds and you never hear that old view from them again. They really do it. It doesn’t happen as often as it should, because scientists are human and change is sometimes painful. But it happens every day. I cannot recall the last time something like that happened in politics or religion.” Carl Sagan, 1987