Hi. I think that I found some inconsistency in the topic.
When you do, say,
auth.add_permission(group_id) - it assumes the permission name 'any', table
name empty and record_id 0.
Which in turn feels like "full admin rights" - any action on any table on
any record.
In fact, that gives no permissions whatsoever.
I've came out with the following patch to make it work for me, but since
that is the very core of RBAC, I'm not sure if that is the right solution or
if I am looking in the correct direction at all.
--- tools.old.py 2010-09-08 08:40:22.266751051 +0400
+++ tools.py 2010-09-08 08:41:25.894746181 +0400
@@ -2420,10 +2420,9 @@
== record_id).select(permission.group_id)
groups_required = set([row.group_id for row in rows])
if record_id:
- rows = self.db(permission.name
- == name)(permission.table_name
- == str(table_name))(permission.record_id
- == 0).select(permission.group_id)
+ rows = self.db(permission.name.belongs((name,'any'))&
+
permission.table_name.belongs((str(table_name),''))&
+
permission.record_id.belongs((record_id,0))).select(permission.group_id)
groups_required = groups_required.union(set([row.group_id
for row in rows]))
if groups.intersection(groups_required):
Regards
Alexey
