Permission are strings like "read", "create", "update", "send email",
"eat chocolate". They do not need anything except that you can check
for permissions when you perform an action.
Permissions apply to a (tablename, record_id). If record_id==0 then
they apply to entire table, else to a specific record.
This means you can create any permission structure you like. Examples:
db.define_table('evil_enemy',
Field('name'),
Field('alive','boolean',default=True,writable=False))
# execute following 4 lines only once of via shell:
secret_agent = auth.add_group('Secret Agent')
auth.add_permission(secret_agent, 'kill', 'evil_enemy')
james_bond_id = 7
auth.add_membership(secret_agent, james_bond_id)
Use them:
def update():
enemy_id = request.args(0)
if auth.has_permission('kill','evil_enemy'):
db.evil_enemy.alive.writable = True
return dict(form=crud.update(db.evil_enemy,enemy_id))
OR you can give permission to kill a specific evil enemy:
spectre_agent = 101
auth.add_permission(secret_agent, 'kill', 'evil_enemy',
spectre_agent)
and check it
def update():
enemy_id = request.args(0)
if auth.has_permission('kill','evil_enemy',enemy_id):
db.evil_enemy.alive.writable=True
return dict(form=crud.update(db.evil_enemy,enemy_id))
web2py Role based access control is the most general access control
that exists. Any other access control mechanism can be implemented on
top of it.
On Jan 17, 12:58 pm, Thadeus Burgess <[email protected]> wrote:
> please explain how we give a use those necessary permissions?
>
> Is it possible to give a user permission to all records in a table,
> but only *some* of the fields?
>
> -Thadeus
>
> On Sun, Jan 17, 2010 at 10:50 AM, mdipierro <[email protected]> wrote:
> > Yes. Look into auth.accessible_query.
>
> > For example:
>
> > db(auth.accessible_query('read', db.mytable)).select(db.mytable.ALL)
>
> > returns a all records of mytable that current logged in user has
> > access to:
>
> > This does nested select so it is the only auth methods that does not
> > work on GAE.
>
> > Massimo
>
> > On Jan 17, 9:09 am, Miguel Lopes <[email protected]> wrote:
> >> I'm wondering how to filter query results based on some sort of user access
> >> rights.
> >> Can this be accomplished with Auth?
>
> >> The basic use case is giving access to all records to all users, and then
> >> have certain users create records that will be only accessible to a limited
> >> number of users. Limited access records could/should be assigned to a
> >> group.
> >> just like in Auth!
>
> >> My problem is that Auth permissions seem designed to give access, and not
> >> to
> >> restrict access. That is in order to access a record you must have either
> >> explicit permission for that record_id or full-blown permission for the
> >> table. This way if one wants to restrict access to 90 records in a 100,000
> >> record table it would be necessary to give access to 99,910 records in that
> >> table. What I'm looking for is just the opposite: give me all the records
> >> except those that are restricted (only accessible by a certain group or
> >> groups).
>
> >> I've just started looking at Auth but what I've seen (Book, AlterEgo, Wiki,
> >> Slices) suggests this can't be done by default. I guess this could be
> >> customized, but I also think it's quite a common use case, so perhaps I'm
> >> missing something?
>
> >> Miguel
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "web2py-users" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to
> > [email protected].
> > For more options, visit this group
> > athttp://groups.google.com/group/web2py?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en.
