ZEO already supports authenticated logins. Based on the login I'd like  
people to be able to access some objects and deny access to others.

First I thought I'd do the access restrictions on the application level.  
This doesn't seem to be too easy though, because a user might have access  
to an object, but accessing one of its sub-objects might be disallowed.  
Checking this everywhere seems hard, error-prone and potentially slow.

So I wondered whether it might be possible to integrate this directly into  
ZEO. E.g. by subclassing ZEOStorage and hooking methods like  
loadEx/loadBefore/deleteObject/store. Each object and each user would have  
something like a permission_id attribute. Then one could write something  

class AccessRestrictedZEOStorage(ZEOStorage):
     def loadEx(self, oid):
         obj = ZEOStorage.load( self, oid )
         # get user here somehow
         return self.checkAccess( obj, user, 'read' )

     def checkAccess(self, obj, user, access):
         # this check can be more sophisticated, check for  
read/write/delete rights etc
         if user.permission_id < obj.permission_id:
             raise AccessDeniedError()

Is something like this viable? Does it make sense at all or is it still  
better to restrict access on the application level?

For more information about ZODB, see the ZODB Wiki:

ZODB-Dev mailing list  -  ZODB-Dev@zope.org

Reply via email to