Given a set of tables in strict hierarchy, e.g.
organization --> site --> building --> system --> circuit
where --> denotes a one-to-many relationship and each of the first 3 tables
contains an email address field, "f_contact_email", that corresponds to a
registered user, what's the best way to enforce an application-wide rule
that each user can only access records in his or her hierarchy?
The application is a customer support site for a manufacturer of systems
installed in buildings. The customer needs to be sure that users can see
only their own data, ie
organization contacts should be able to see sites, buildings, systems, and
circuits that belong to their organization,
site contacts should see only buildings, systems and circuits at their site,
building contacts should see only the systems and circuits in their
building.
Ideally I'd like to enforce this with an auth.requires() decorator on
controller functions, but I can't tell from the book whether this is
possible. I've appended a stripped down set of tables below for clarity.
db.define_table('t_organization',
Field('f_contact_email_string', type='string',
label=T('Email')),
migrate=settings.migrate)
db.define_table('t_site',
Field('f_contact_email_string', type='string',
label=T('Email')),
Field('f_organization', type='reference t_organization', notnull = True,
label=T('Organization')),
migrate=settings.migrate)
db.define_table('t_building',
Field('f_site', type='reference t_site', notnull=True,
label=T('Site')),
Field('f_contact_email_string', type='string',
label=T('Email')),
migrate=settings.migrate)
db.define_table('t_system',
Field('f_serial_string', type='string', unique=True,
label=T('Serial')),
Field('f_building', type='reference t_building',
label=T('Building')),
migrate=settings.migrate)
db.define_table('t_circuit',
Field('f_number', type='string', notnull=True, unique=True,
label=T('Number')),
Field('f_cbsystem', type='reference t_cbsystem',
label=T('System')),
migrate=settings.migrate)
Thanks,
Mike
