On Sat, May 22, 2010 at 2:17 PM, Nitro <ni...@dr-code.org> wrote:
> ZEO already supports authenticated logins. Based on the login I'd like
> people to be able to access some objects and deny access to others.
> First I thought I'd do the access restrictions on the application level.

That's the only sane thing to do.

You want to have higher level abstractions to manage security. Like
giving permissions based on their class, based on their relationship
to others. Usually you'll also want to go from just users to groups or
maybe use external authentication services at some point.

The database level is the wrong abstraction level to do this. In SQL
terms, you are trying to store a full fledged security policy on each
database row. This is going to be prohibitively slow and unmanageable
very soon.

I think you could extend database users and permissions, to manage
access permissions on a full database / storage level. Potentially
introduce read/write permissions on this level. But anything more
fine-grained belongs to the application domain.

For more information about ZODB, see the ZODB Wiki:

ZODB-Dev mailing list  -  ZODB-Dev@zope.org

Reply via email to