Michael, thanks for the tip. rum looks like what I need here. It seems to provide the flexibility to do things like determine what exactly a users permissions are with respect to a particular group of which he is a member - read group contracts - write group contracts - manage group membership (add/remove other users, grant/revoke permissions to other members)
Thus, then a user enters a contract, he would specify the groups to which can access the contract and with which permission they should be able to do so - For example if user johndoe enters contract with id 10: - group johndoe can access contract with id 10 with read and write permission - group A can access contract with id 10 with read and write permission - group B can access contract with id 10 with read permission etc My problem is, I have absolutely no idea how to go about this with rum. I'll need to spend time with the documentation and will definitely need to overhaul the schema I defined at http://code.google.com/p/pycontraxx/source/browse/trunk/pycontraxx/model/schema.py On 8 Apr., 15:11, Michael Brickenstein <[email protected]> wrote: > Hi! > Sounds like some row level permission problem. > This is possible with the > mercurial version of rumhttp://python-rum.org/ > > See TgRumDemo's > policyhttp://hg.python-rum.org/TgRumDemo/file/5f744fb4f973/tgrumdemo/policy... > > http://groups.google.com/group/rum-discuss/browse_thread/thread/526e1... > > Michael > > On 7 Apr., 22:10, frankentux <[email protected]> wrote: > > > Is there a suggestion for how to implement something like this > > efficiently: > > > group | contract | permission > > ----------------------------------------------------------------- > > 1 | 3 | 2 > > 1 | 4 | 3 > > 2 | 3 | 2 > > > where for example, permission 2 is read and permission 3 is write > > Each group would have any number of members - which raises an issue > > with the permissions. > > I originally thought about each user having a private group where only > > he/she has write permission > > (kind of like the way red hat handles a user's default group on > > linux). Thus each contract would have > > at least one group owner with write access - namely the owner's > > private group. > > > What I'm trying to achieve is a clear permissions based model where > > the typical business setup of > > a human contract manager (user) existing in a contract management team > > (group A) can read/write group > > contracts from group A but can only read contracts from group B. > > Additionally, it might be a good idea to > > allow contract managers to grant read only permission to either > > anonymous users or to anyone logged in but not > > a member of a generic "contract_manager_group". > > > For each contract_manager group, a designated user could be granted > > permission to allow users to join and to grant them > > read and/or write permission. > > > Currently, this is implemented in model/schema.py > > (http://code.google.com/p/pycontraxx/source/browse/trunk/pycontraxx/mo... > > ). > > When a user visitshttp://app/contract/manage/$contract_idheis > > denied access unless logged in. If access is granted, the scope of the > > access is tested by > > checking what id is requested ($contract_id) and checking if the user > > is in any group listed in contract.groups and if said group has e.g. > > rw permission listed in groups.permissions. This seems a bit primitive > > though and I'm sure there's a much more elegant way of doing this > > using repoze.... but so far I'm stuck > > on repoze as I seem to have to test using a decorator ( @require > > (predicates.in_group('contract_managers', msg=l_('Only for contract > > managers'))) ) before accessing the args sent to the controller method > > (in the case above, the contract_id). If I could manage to get this > > working using predicates, I'm sure it would make the app much more > > flexible down the road. > > > Any ideas :) ? > > > On 7 Apr., 15:08, frankentux <[email protected]> wrote: > > > > Started a Google Code Project:http://code.google.com/p/pycontraxx/ > > > > Anonymous SVN (I think you have to join the project before getting RW > > > permissions) > > > svn checkouthttp://pycontraxx.googlecode.com/svn/trunk/pycontraxx- > > > read-only > > > > Currently there is only a standard paster quickstart -s with > > > authentication enabled plus > > > a schema.py under pycontraxx/model/ which contains the business logic > > > (probably should be > > > split out into multiple files?). There is also some controller code > > > set up - but this was mostly me > > > playing with repoze and rapidly figuring out that it was going to be > > > more difficult than I though > > > to implement group level access restrictions to contracts and > > > projects. > > > > On Apr 6, 6:33 pm, frankentux <[email protected]> wrote: > > > > > Given that the project is only in the starting stages (I've put > > > > together a rough model which is getting more complicated by the day), > > > > I'm looking firstly for help with "conceptualising" the project: > > > > - improving the model (having problems at the moment with user/group/ > > > > contract where trying to implement ro,rw) > > > > - user admin interface (whereby a group "owner" can add/remove group > > > > members and determine the scope of their access to contracts) > > > > - using existing form widgets/creating new form widgets to handle > > > > entering contracts along with projects, contract parties, contract > > > > documents > > > > - event based notifications on a per user or per group basis (e.g. > > > > contract xyz will expire in 30 days if not renewed) > > > > - timeline showing what's coming up (events such as contract renewal > > > > deadline, contract expiry) > > > > - not sure if this is overkill, but it would be cool to have a kind > > > > of svn backend to handle uploaded contracts (odt, doc, pdf) > > > > > Maybe if I just post the entire model? Or upload everything I have to > > > > google code or something like that? > > > > > On Apr 6, 5:40 pm, Mark Ramm <[email protected]> wrote: > > > > > > Right now this mailing list is the right place. Let us know a couple > > > > > details of what kind of help you're looking for and when you need it > > > > > and I'm sure some people will reply to you off list. > > > > > > --Mark Ramm > > > > > > On Mon, Apr 6, 2009 at 10:32 AM, frankentux > > > > > <[email protected]> wrote: > > > > > > > I was wondering if there is a kind of a "help wanted" feature - > > > > > > either > > > > > > here on the mailing list, or on the turbogears.org site. > > > > > > Specifically, > > > > > > I want to pick up development of a contract management application > > > > > > using turbogears2 - it's a pretty big project though. > > > > > > > Thus, does anyone know where I could post a "looking for help" > > > > > > notice > > > > > > - somewhere that turbogears users would find it? > > > > > > -- > > > > > Mark Ramm-Christensen > > > > > email: mark at compoundthinking dot com > > > > > blog:www.compoundthinking.com/blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
