Changes between Version 16 and Version 17 of BluePrintAuthenticationAccess


Ignore:
Timestamp:
01/09/09 08:06:23 (16 years ago)
Author:
Fran Boon
Comment:

Reworking

Legend:

Unmodified
Added
Removed
Modified

  • BluePrintAuthenticationAccess

    v16 v17  
    44Authorization provides controlled access to protected resources.
    55
    6 S3 currently uses the default T2 AAA system at a very basic level: {{{t2.logged_in}}}
     6S3 builds on the default T2 AAA system:
    77 * http://trac.sahana3.org/wiki/DeveloperGuidelinesAuthenticationAccess
     8
     9Anonymous access is currently granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated: {{{t2.logged_in}}}
     10* T2 can extend this by protecting resources with {{{t2.have_membership()}}} (functional check) & {{{t2.have_access()}}} (record-level security)
     11* we should probably support this by adding hooks into the [wiki:BluePrintREST RESTlike controller]
     12
     13The system supports Self-Registration, which won't be appropriate for all deployment scenarios.[[BR]]
     14To disable it requires:
     15 * Removing the link from the menu in {{{layout.html}}}
     16 * Disabling the function in controllers/default.py
     17If self-registration is disabled then users maintenance can be done via appadmin until we develop our own UI.[[BR]]
     18This will also be the case for adding extra roles anyway.
     19
     20DRAFT:
    821
    922We use {{{t2_group}}} table for Contact Lists information
     
    1528Membership of roles is controlled via the Many-to-Many table: {{{s3_roleholder}}}
    1629
    17 However this won't be appropriate for all deployment scenarios.[[BR]]
    18  * The main issue is that the current system supports self-registration...can easily diasble that to enforce manual user setup, which /can/ just be via appadmin (low priroity to make a nicer UI)
    19 
    20 We need to extend to Data Security.
    2130
    2231The specification we should be working to implement is in the Wiki:
     
    2534 * Old: http://wiki.sahana.lk/doku.php?id=dev:authorization
    2635(NB The Vol module currently uses a separate method)
    27 
    28 This should (mostly?) be possible using other T2 methods:
    29  * {{{t2.have_membership()}}}
    30  * {{{t2.have_access()}}}
    31 
    32 The equivalent of {{{has_permission(permission_name, view_or_controller)}}} and/or {{{user.has_role(custom_role)}}} methods in Zope
    33 
    34 
    35 This should probably be done by hooking into the [wiki:BluePrintREST RESTlike controller]
    3636
    3737We also want to look at linking the AAA t2_person table with the Person Registry's person table
     
    4949
    5050 * Working with Realms, Users, Groups, and Roles: http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxj.html
     51 * Zope uses: {{{has_permission(permission_name, view_or_controller)}}} and/or {{{user.has_role(custom_role)}}} methods
    5152
    5253----