On Sat, May 22, 2010 at 2:17 PM, Nitro <ni...@dr-code.org> wrote: > ZEO already supports authenticated logins. Based on the login I'd like > people to be able to access some objects and deny access to others. > > First I thought I'd do the access restrictions on the application level.
That's the only sane thing to do. You want to have higher level abstractions to manage security. Like giving permissions based on their class, based on their relationship to others. Usually you'll also want to go from just users to groups or maybe use external authentication services at some point. The database level is the wrong abstraction level to do this. In SQL terms, you are trying to store a full fledged security policy on each database row. This is going to be prohibitively slow and unmanageable very soon. I think you could extend database users and permissions, to manage access permissions on a full database / storage level. Potentially introduce read/write permissions on this level. But anything more fine-grained belongs to the application domain. Hanno _______________________________________________ For more information about ZODB, see the ZODB Wiki: http://www.zope.org/Wikis/ZODB/ ZODB-Dev mailing list - ZODB-Dev@zope.org https://mail.zope.org/mailman/listinfo/zodb-dev