we could expose a has_memmbership and has_permission service to authorized cas_consumers. The problem is that the consumers would have to call special functions to check the provider. We could always delegate the local has_membership and has_permission to the service equivalent functions with there would be problems with referential integrity because objects are local and permissions are remote.
Has anybody does this (even if not in wbe2py). Is there any documentation? massimo On May 23, 9:45 am, Michele Comitini <[email protected]> wrote: > Could CAS server answer to questions such as "is operation bar allowed > to user foo"? > > The list of operations is CAS server dependent, the consumer can ask > only for those... > > mic > > 2011/5/23 Massimo Di Pierro <[email protected]>: > > > > > > > > > I have been thinking about this but issue is, how should groups be > > identified? By their name? The consumer app does not have the same > > auth_group table. What if it has a group with the same name as a group > > in the provider app? > > > Anyway... as it ism CAS (and cas in Auth) has a problem. Any consumer > > can authenticate with it and therefore it will reveal information > > about the user (for example the username and email). There are two > > ways to restrict this: 1) have the provider filter consumers by IP/ > > domain; 2) have the user decide whether to authenticate with the > > consumer (as in OpenID). I think 1 is more appropriate for CAS and > > easier to implement. > > > On May 23, 7:24 am, Ross Peoples <[email protected]> wrote: > >> I am not that familiar with CAS, but it might be useful in some cases to > >> know what groups the user is a member of in the remote web2py installation. > >> For example, if there is an 'Administrators' group that should have access > >> to everything, then you wouldn't have to set up groups and permissions for > >> every single app that uses the remote Auth service.
