Currently web2py's RBAC functionality does not accommodate nested groups.
Any interest in adding this to the standard web2py access control module?
*Example Use-Case*
Suppose we are creating an inventory management application that lets you
view addresses for buildings within your portfolio of buildings. Now a
customer wants to divide their buildings into sub-regions, give permission
to some users over sub-regions, and some users over all the sub-regions.
1. A table named Buildings represents buildings and their addresses.
2. An auth_group entry for the top-level customer ("Wayne Industries"), and
another entry for each of the sub-regions ("Gotham City", "Gotham Suburbs")
3. Users are assigned groups using the auth_membership table. Users who
should have access to all the buildings get put into the "Wayne Industries"
group. Users who should only see a sub-region get put into one of the City
or Suburbs groups.
*Problem*
Suppose we want to show a user a grid of buildings based on what group they
belong to. Users in Gotham City should only see sites that are part of that
sub-region, but users in Wayne Industries should see buildings that are
part of all 3 groups.
In the current setup, we would have to create two auth_permission entry for
each building. One for the Wayne Industries group, and another for either
of the sub-groups so users in the top-level group and the sub-group can see
that building. This is fine if the list of buildings or groups is not
dynamic. But if we are allowing users to add sub-groups and buildings, then
every time a building is created, we need to know that the building should
also be added to the top-level group. Various ways exist but keeping things
in sync become hard.
*The proposed alternative*
1. We assign buildings to sub-regions by creating an auth_permission entry
for the sub-region and the building ({Group: "Gotham City", Table:
"Buildings", Name: "EDIT", Record_ID: <building id>}, etc.)
2. We assign the Wayne Industries group ADMIN permssion over the Gotham
City and Gotham Suburbs group
3. We build a access control tree that allows queries over the nested
groups. We can do this using a library like NetworkX that makes building
and searching a graph/tree structure easier. We also add a parameter to the
auth.accessible_query that decides whether to return only records owned by
groups this user is a member of, or also return records owned by any
(sub)groups the users' current groups have admin permission over. We can
add a cache time property that allows storing this tree in memory to reduce
db hits.
Does this sound like good design/useful feature to add? Much of this has
already been built for our current application but we were looking to do
something more standardized, putting it into web2py would allow us to get
feedback on the implementation and how generalized/fast/secure it is.
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
