On Wed, Oct 28, 2009 at 9:28 AM, L Dary <[email protected]> wrote:
> > Let me start by saying how impressed I am with TG2, and also how > excited I am to finally be starting to attempt to make some > applications with it (I started out reading the TG1 book, and really > watching the development, but never really made anything with TG1). > > I have decided to make my first attempt at a 'real' application, and > need some advice on where to start to figure out my first road block: > Authentication and Authorization. > > The way I am thinking about the users does not seem to fit into the > User, Group, Permission setup quite right. Let me describe the > structure I have put down on paper, and hopefully someone can help me > get started with a link or some advice. > > The application is based around self-contained instances of events. > Any user has the right to create their own events (which they are the > manager for). A user can be a participant in events, an assistant for > an event, a manager of an event, or they can also be a system > administrator. This breaks down really into two 'system-level' groups: > Users and System Admins. This seems like it would work fine with the > usual User, Group, Permission setup. > > It is the authorization of content, based on the user's specific role > within an event that has me stumped, however. A user may be part of > any number of events, and have different roles within each event. User > A might be the manager of Event A, and a participant in Event B. > > What I want to accomplish is that when User A requests details of > Event A that they would receive additional options than what they > receive when they request details of Event B. There is one additional > piece to all of this, which is that all participants in an event are > put into 'Teams' which further changes what is displayed on each page. > > The way I would describe it is: User, Group, Role (per event), Team > (per event), Permission. > > I guess my overall question is: Can this be done with the existing TG2 > auth (or by extending it), or will I need to do something more > involved? > > Please ask for any clarification where I haven't been clear. > Thank you so much for any help. > > Although it might not be the easiest thing in the world, you should be able to do what you want within the existing framework. Just tell yourself that "Role" and "Team" are just other types of groups. In your application code, make sure that ALL your predicates are entirely based on permissions. Then when a new "event" is created, have your code automatically create the appropriate role/team group for that event, and add the appropriate permissions. So if Joe creates a new event, called "TheUltimateEvent", your code might create these groups: theultimateevent_managers theultimateevent_members theultimateevent_volunteers ...etc... Then when someone gets added to the event, add them to the appropriate group. You can do the same thing with teams, but I'm assuming that the managers of each event will be managing those, so you'll need to create those groups when the team is created, rather than when the event is created. You also want to make sure the appropriate permissions are added. This is the "tricky" bit, since you want to have the same users have different permissions for different events. Try making a custom predicate, that takes both the permission name, and the "general" permission name. So something like: has_event_permission(event_name, 'edit_event') which then just takes the two and checks the permissions database for the combination, something like: theultimateevent_edit_event I haven't done this kind of thing with repoze.what, so I'm not sure you'll be able to use the decorator syntax, but you should be able to at least use it inside your controllers. I'm also not sure exactly how you want to keep track of which event the user is currently working on...maybe you can get it from the request somehow. At any rate, you should be able to come up with something that will work. Hope this gives you some ideas. Kevin Horn --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
