Terry Kerr wrote at 2005-5-31 19:02 +1000: > ... >For example, the person who is authenticated to the site (will be >authenticated via my user folder looking at the credentials in the >person record in the person table), is only allowed to update records in >a specific table that they own, as determined by a foreign key link to >the person record. The only way I can see to implement security is to >explicity code in my python form validation script, a check that makes >sure the person is infact allowed to edit the record...this in itself >would require a database query to check the foreign key link against the >authenticated user id. > >My authorization gets more complicated than that though....
If you have complex rules (apparently, you do), then you will need to implement them somewhere -- each of them... >... >Another approach maybe to implement the authorization at the database >level by using GRANT, REVOKE, rules on tables, functions, views, etc. >If the Zope database connector could connect as the authenticated user, >then the rules would apply. The standard Zope DAs do not directly support this. In the SQLRelay documentation, I found that Oracle supports user switching for a connection. If you have such a database (and the user switching supported by your Python-database bridge), then you can easily extend the DA to use this feature. As I understand SQLRelay, it does this for you, in case the database supports it (and "SQLRelay" knows that it does). If your database system has a cheap "connect", then you can create a new connection for each request and authenticate the current user. Again "SQLRelayDA" can show you how to achieve this (if you do not directly use "SQLRelayDA"). -- Dieter _______________________________________________ Zope-DB mailing list [email protected] http://mail.zope.org/mailman/listinfo/zope-db
