Kevin Monceaux wrote: > Steve, > > On Thu, Nov 09, 2006 at 01:47:26AM -0600, Steve Holden wrote: > >> OK, I've finished the rewrite and I'd appreciate any comments. > > Looks good. I'm working remotely at the moment so I only tried adding > users/groups via the console. I'll go through it again when I get home and > give CatWalk a try. Also, I've only tried it with SQLObject so far. I'll > go through it again shortly with SQLAlchemy and make sure all is well there. > That'd be good. I've only tried the SQLObject stuff myself.
>> I'd also appreciate it if someone could point me to (or provide) the >> information on encrypted passwords I'll try to incorporate that. > > I used Tim's suggestion and now have encrypted passwords. I'm guessing the > parameter needs to be set before the database is created, or as least before > any users are added. So, after quickstarting the project I changed to the > identity_tutorial directory and edited identity_tutorial/config/app.cfg. I > found the following line: > > # identity.soprovider.encryption_algorithm=None > > Uncommented it and changed it to: > > identity.soprovider.encryption_algorithm='sha1' > > According to Tim and the comments in the app.cfg file it can be set to md5 > or sha1. After doing so I continued with the tutorial from the "create the > database" step and all worked as expected with encrypted passwords. > Cool! >> We also need to explain how the permissions are used to respond to the >> comments about ownership and permissions. So there's still a ways to go. > > I noticed it was lacking in that area. A quick look at the database was > enough for me to figure out how to add permissions to groups but some users > might find it useful if the tutorial covered adding permissions. > > I have an idea for an additional tutorial in the "Identity Management" > series. How about taking one of the existing tutorials, such as the > "Multiuser Todo List", and showing how to add security(identity management) > to the project? Being so new to TurboGears I'm not sure if I'm up to such a > challange. But, having recently gone through both the "Multiuser Todo List" > tutorial and the "Identity Management" tutorial I think would be able to go > through the "Multiuser Todo List" tutorial again and add security features > to it. I'd be happy to do so and take notes as I go. I then might be able > to provide a rough draft that could be polished by a more experienced > TurboGears user. After a little initial pondering I have a couple of > questions: > > Can Identity Management be added to an existing TurboGears project or does > it have to be included when the project is initially set up? > I don't see any reason why one shouldn't simply add the definitions for class Visit(SQLObject): class VisitIdentity(SQLObject): class Group(SQLObject): class User(SQLObject): class Permission(SQLObject): to the model and run a piece of code that will create the tables. Would someone like to verify this before I put it in the notes? > Does the Identity Management system have any built-in functions for dealing > with object ownership? For example, in a photo album app when an album is > created the user creating the album should be it's owner. And, regular > users(without admin priviledges) would likely only be allowed to do things > to the albums they own. Some frameworks have an automatic system for > setting/checking ownership, usually based on a "magic" column name. As an > example with some frameworks if a table has column names such as created_by > and/or updated_by it will automatically set those columns to the user who > created/updated the row. The above is easy to do even without the > functionality being built into the Identity system but if it's already in > there I'd rather use it than do it separately. > I haven't come across anything. Clearly it would be useful to have more utility functions in this area. > In the identity section on the: > > http://Docs.TurboGears.org/1.0/SpecificProblems > > page I see a "User registration and maintenance" system. I haven't tried it > out yet. I'll play around with that some before trying to add security to > projects. > Thanks for your comments. I'll try to add appropriate notes about password encryption shortly, flagging them for the moment as "SQLObject only". I'll post to this thread again after each significant update. regards Steve -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Skype: holdenweb http://holdenweb.blogspot.com Recent Ramblings http://del.icio.us/steve.holden --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
