OK, I think I understand auth_permission better now. I was looking at the form at ...appadmin/insert/db/auth_permission, with the following fields:
1. Group Id: 2. Name: 3. Table Name: 4. Record Id: Looking at the parameters (from your reply) in auth.add_permission (group_id,'update',db.mytable,3), the relationship is clear. For example, I didn't know what "Name:" meant. I now see that's the action. There's still one thing I don't get. "Table Name:" in the appadmin form is a drop down list and the only tables selectable from the list are auth_user, auth_group, auth_membership, and auth_permission. To me, this implied that it was only possible to set permissions on those four tables. auth.add_permission() above indicates that any table can be named, not just the four in the dropdown list. Should the dropdown be populated with the names of all my tables? On Mar 22, 5:22 pm, mdipierro <[email protected]> wrote: > On Mar 22, 3:09 pm, ctalley <[email protected]> wrote: > > > 1. There doesn't seem to be any provision for setting password policy > > (length, character mix) and enforcing it at the time a user > > registers. As currently implemented, a user can enter anything - or > > nothing - for a password. Something as simple as IS_NOT_EMPTY and a > > minimum length would help a lot. Can that be added? > > ok. good point although there are nice jquery plugins that accomplish > that client side. > > > 2. The auth_event table logs a lot of stuff ... login, logout, > > register, create group, update profile, ... It doesn't, however, > > appear to log failed login events. Can that be added? > > ok > > > 3. Is there any built-in mechanism for managing (e.g., cap, overwrite) > > growth of the auth_event table? Or is it simply up to the sys admin > > to keep track of it so it doesn't get out of control? > > no, but you can write a cron to clean it up. > > > 4. It's not clear to me what the purpose of the auth_permission table > > is. Can you explain. > > A user is member of groups. > members of groups have permission. > A permission is defined by an action (like "create", "select", > "update", "delete" or user defined) and a an optional object to act > upon. This could be a table name, and a record. > > group_id=auth.add_group('my_friends') > auth.add_membership(auth.user.id,group_id) > auth.add_permission(group_id,'update',db.mytable,3) > > @auth.requires_permission('update',db.mytable,3) > def f(): return dict() > > Now only 'my_friends' can call the funciton f since they have > permission to "update" db.mytable record 3. > read about role based access control on Wikipedia. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
