Hello,

ZEO already supports authenticated logins. Based on the login I'd like  
people to be able to access some objects and deny access to others.

First I thought I'd do the access restrictions on the application level.  
This doesn't seem to be too easy though, because a user might have access  
to an object, but accessing one of its sub-objects might be disallowed.  
Checking this everywhere seems hard, error-prone and potentially slow.

So I wondered whether it might be possible to integrate this directly into  
ZEO. E.g. by subclassing ZEOStorage and hooking methods like  
loadEx/loadBefore/deleteObject/store. Each object and each user would have  
something like a permission_id attribute. Then one could write something  
like

class AccessRestrictedZEOStorage(ZEOStorage):
     def loadEx(self, oid):
         obj = ZEOStorage.load( self, oid )
         # get user here somehow
         return self.checkAccess( obj, user, 'read' )

     def checkAccess(self, obj, user, access):
         # this check can be more sophisticated, check for  
read/write/delete rights etc
         if user.permission_id < obj.permission_id:
             raise AccessDeniedError()

Is something like this viable? Does it make sense at all or is it still  
better to restrict access on the application level?

-Matthias
_______________________________________________
For more information about ZODB, see the ZODB Wiki:
http://www.zope.org/Wikis/ZODB/

ZODB-Dev mailing list  -  ZODB-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zodb-dev

Reply via email to